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WARNING 

This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of 
FCC Rules. These limits are designed to provide reasonable protection against such interference when operating in a 
commercial environment. This equipment generates, uses, and can radiate radio frequency energy, and if not installed 
and used in accordance with this guide, may cause harmful interference to radio communications. 

Operation of this equipment in a residential area is likely to cause interference in which case the user, at his or her own 
expense, will be required to take whatever measures may be required to correct the interference. 

Changes or modifications to this device not explicitly approved by SMC will void the user's authority to operate this 
device. 

Cet appareil doit se soumettre avec la section 15 des statuts et reglements de FCC. Le fonctionnement est subjecte aux 
conditions suivantes: 

(1) Cet appareil ne doit pas causer une interference malfaisante. 

(2) Cet appareil doit accepter n'importe quelle interference reiue qui peut causer uneoperation indesirable. 
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1: Introduction 



The SMC family of Secure Access Servers provides secure communication for remote users to access local 
network resources and allows IT professionals secure access to serial console ports for configuration and 
system administration on servers, routers, switches, telephone equipmennt, or any device with a serial port. 

In addition to remote networking capabilities, the unit includes traditional terminal server functionality such 
as security features and modem control. The security features include dialback, passwords, database 
authentication, and menu mode. The unit also allows automatic modem configuration and control. 

1 .1 IP Protocol Support 

The unit supports the industry-standard IP network protocol. The IP protocol supports Telnet, Rlogin, and 
Domain Name Servers (DNS). The Telnet terminal protocol is supported on most UNIX systems. It is an 
easy to use interface that creates terminal connections to any networked host supporting Telnet. Rlogin 
enables you to initiate a TCP/IP login session. DNS enables a network name server to translatetext node 
names into numeric IP addresses. The unit also supports syslog functionality. 

Windows 95 users can run NetBIOS over IP and use the DNS for name resolution, or a primary or secondary 
NetBIOS nameserver (NBNS). See the IP chapter for more information. 

The unit supports static and dynamic routing. Static routes can be entered when routing is needed but a 
dynamic route is not desirable. Dynamic routing information is obtained and transmitted through the receipt 
and generation of RIP (Routing Information Protocol) packets. The unit also allows dynamic allocation of 
IP addresses. 



1 .2 Link Layer Support 

Two serial link-layer protocols are supported by the unit: PPP and SLIP. 
PPP 

The unit supports the transfer of IP over PPP. Two PPP authentication 
protocols are supported: the Password Authentication Protocol (PAP) and the 
Challenge Handshake Authentication Protocol (CHAP). 

SLIP 

The unit supports SLIP and compressed SLIP (CSLIP). 

1.3 Remote Networking Support 

The unit supports the following remote networking features: 
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Remote node logins 

A single remote node (such as a laptop) may log into the unit, form a 
connection, and use a network's services as if it were directly connected to that 
network. 

Incoming and outoing LAN to LAN connections 

The unit can be used to connect two networks that don't always need to be 
connected; for example, a small remote office LAN and a central office LAN. 



Packet filtering 



Chat scripts 



Packet traffic can be restricted in a number of ways using packet filters. Filters 
may be used to restrict outgoing traffic, restrict incoming traffic, determine 
connection time-outs, or determine whether or not an outgoing connection 
should be initiated. 



The unit supports the use of chat scripts to communicate with equipment at a 
remote location. 



Bandwidth on demand (Multilink PPP) 

The unit may be configured to analyze current bandwidth utiliziation and add 
or subtract bandwidth when necessary. 

Connection restrictions 

Connections may be restricted to particular timie periods and days of the week. 

IP header compression 

The unit may be configured to compress IP packet headers, reducing the delay 
and bandwidth requirements. 

Authentication 

The unit may be configured to require a dial-in user to authenticate itself. In 
addition, the unit may authenticate itself to remote hosts when required. 

1 .4 Security Support 

The unit enables you to secure your network in a number of ways. Supported features include: 

♦ Authentication of incoming connections in a variety of ways, including Kerberos, SecurlD, RADIUS, 
and CHAP/PAP 

♦ Authentication of outgoing LAN to LAN connections 

♦ Dialback during incoming connection attempts 

♦ Restriction of user access to commands and functions 

♦ Event logging 

For more information on any of these features, see the Security chapter. 
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1 .5 Using This Manual 

While this reference manual primarily explains unit setup fromthe command interface, EZWebCon users 
should read this manual for conceptual information and cautionary material. The chapters should be read in 
order: 

Note: If at any point you need to look up a specific command, see Chapter 11, 
Command Reference. This chapter details the entire unit command set. 

♦ Chapter 2, Getting Started 

♦ Chapter 3, Basic Remote Networking 

♦ Chapter 4, Additional Remote Networking 

♦ Chapter 5, IP 

♦ Chapter 6, PPP 

♦ Chapter 7, Ports 

♦ Chapter 8, Modems 

♦ Chapter 9, Modem Sharing 

♦ Chapter 10, Security 

♦ Chapter 11, Command Reference. This chapter is divided into sections for Navigation/Help, IP, Port, 
Modem, Service, Server, Site, and Security commands. 

♦ Appendix A, Contact Information 

♦ Appendix B, Environment Strings 

♦ Appendix C, SNMP Support 

♦ Appendix D, Supported RADIUS Attributes 
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This chapter covers some background information to get you started using the unit. Topics include methods 
for setting up the unit and ongoing maintenance issues such as restoring factory default settings. 

This chapter assumes the following: 

♦ The unit is running operational code (i.e. the unit has successfully booted) 

♦ The unit is connected to an Ethernet 

♦ The unit has been assigned an IP address. 

Note: For details on booting, installation, or IP address assignment, refer to your 
Installation Guide. 

2.1 Getting Started 

To get started with the unit, complete the following steps: 

1 Install the unit. Refer to the includes Installation Guide for instructions. 

2 Assign an IP address to the unit. See the Installation Guide for instructions. 

3 Install EZWebCon, which is shipped with the unit on CD-ROM and is also available from the SMC 
web site. EZWebCon is an easy-to-use, point- and-click configuration utility that will enable you to 
set up your unit over the network. 

Note: The EZWebCon CD includes a Read Me file that will provide diretions for 
installation. 

4 Run EZWebCon to configure your unit. 

If you choose to configure the unit without EZWebCon, you will need to determine your desired setup and 
enter a series of configuration commands at the command line. This manual covers all the information 
necessary to configure your unit from the command line interface. 

2.2 Methods of Configuration 

The unit may be configured using EZWebCon or by issuing commands at the command line (Local>) 
prompt. 

To configure the unit when a problem has occurred (for example, if the unit does not boot successfully and 
a Boot> prompt appears on the console port), refer to the Troubleshooting appendix of your Installation 
Guide. 
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2.2.1 EZWebCon 

The EZWebCon software is the easiest way to configure the unit. EZWebCon guides you through 
configuration using a graphical interface. 

EZWebCon is included on the CD-ROM that is shipped with each unit unit. All instructions for using 
EZWebCon are listed on the Read Me file located onthe CD-ROM. For assistance once EZWebCon is 
running, refer to the EZWebCon online help. 

2.2.2 Command Line Interface 

To configure the unit without EZWebCon, you must enter configuration commands at the command line. 
These commands should be entered when a port is in character mode, which is when the Local> prompt is 
be displayed. 

To display the Local> prompt, do one of the following: 

♦ Connect a terminal to the serial console port and press the Return key until the prompt is displayed. 

♦ Establish a Telnet or Rlogin connection to the unit from a TCP/IP host. 

♦ In EZWebCon, select "Telnet To Device" from under the Actionsmenu. 

♦ Establish a TCP/IP remote console connection. For a complete description, see Chapter 5, IP. 

Note: The default serial port parameters are 9600 baud, 8 data bits, 1 stop bit, no 
parity, and XON/XOFF flow control. 

2.3 Commands 

In examples throughout the manual, unit commands and keywords are displayed in upper case for clarity. 
They may be entered in upper, lower, or mixed case. 

The Command Reference chapter (Chapter 11) displays the syntax of each command, including any 
restrictions, known errors, and references to related commands. Optional parameters are enclosed in 
brackets []. Required parameters are enclosed in curly braces {}; one and only one of those parameters must 
be used. User-supplied parameters, such as a particular port number or host name, are shown in italics. 

When entering a string, such as a username or filename, enclose the string in quotes; this will retain the case 
entered. If a string is not enclosed in quotes, it will automatically be changed to all uppercase characters. 

The unit command completion feature will complete partially-typed commands for you. This feature can 
save time and reduce errors if you're entering a number of commands. To use command completion, type 
part of a command, then press the space bar. The unit will automatically "type" the remainder of the 
command. 

Note: Command completion is disabled by default. To enable command completion, 
refer to Set/Define Ports Command Completion on page -46. 
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All keys used for entering and editing commands are listed in Table 2-1. 

Table 2-1 : Command Editing Keys 



Key 


Purpose 


Return 


Executes the current command line 


Delete 


Deletes the current character before the cursor 


Ctrl-A 


Toggles insert mode (insert or overstrike). 
Overstrike is on by default. 


Ctrl-D 


Logs out of the server 


Ctrl-E 


Moves the cursor to the end of the line 


Ctrl-H or Backspace 


Moves the cursor to the beginning of the line 


Ctrl-R 


Redisplays the current command 


Ctrl-U 


Deletes the entire current line 


Ctrl-Z 


Logs out of the server 


Left Arrow 


Moves the cursor left 


Right Arrow 


Moves the cursor right 


Up Arrow or Ctrl-P 


Recalls the previous command 


Down Arrow or Ctrl-N 


Recalls the next command 


I text 


Recalls the last command starting with text 


M 


Recalls the last command 



2.3.1 Command Types 

The following commands appear frequently throughout this manual. There are subtle differences between 
each group of commands, as explained below. 

2.3.1.1 Set and Define 

Set Makes an immediate (but not permanent) change; the change will be lost when 

the unit is rebooted. To make the change permanent, you must also enter the 
Save command. 

Define Makes a permanent change, but the change doesn't take effect until the unit is 

rebooted. 

Note: Define Ports will take effect as soon as the port is logged out, and Define Site 
will take effect when a site starts. 

2.3.1.2 Show/Monitor/List 

Show Displays the current settings. Current settings include those made using the Set 

command but not saved as permanent changes. 
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Monitor 



Displays the current settings; information is updated every three seconds. 



List 



Displays permanent settings. 



2.3.1.3 Clear/Purge 



Clear 



Removes a configured setting immediately, but does not make a permanent 
change. 



Purge 



Removes a configured setting permanently, but does not take effect until the 
unit is rebooted. 



Note: 



Purge Port will take effect as soon as the port is logged out, and Purge Site will 
take effect when a site starts. 



2.3.2 Restricted Commands 



Some commands require privileged (superuser) status. To obtain privileged status, you must enter the 
privileged password. See Set Privileged/Noprivileged on page -69 for instructions. 

The unit prompt will change to reflect privileged user status if configured to do so. See Changing the unit 
Local Prompt on page 2-7 and Set/Define Server Prompt on page -109 for more information. 



There are two ways to reboot the unit: 

♦ At the Local> prompt, issue the Initialize Server command, discussed on page -101. 

♦ Press the Reset button while cycling power to the unit. 

When the unit is rebooted, any changes made using Set commands will be lost. To ensure that the changes 
will be saved, use Define command, or use the Save command after the Set command. 

Before rebooting the unit, log out any current user sessions (if possible). Disconnecting sessions may 
prevent connection problems after the unit is rebooted. It is courteous to warn users that the unit will be 
"going down," this can be done using the Broadcast feature. 



Broadcast messages are sent to local users, but not remote networking users. Broadcasts can be sent with 
the following command. 



2.4 Rebooting the Unit 



2.4.1 Broadcast 



Figure 2-1 : Broadcast Command 



Local>> BROADCAST ALL "Server shutdown in 5 minutes." 
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2.4.2 Restoring Factory Defaults 

Restoring factory default settings will erase all changes made since the unit was shipped; the unit will 
function as if it just came out of the box. To restore factory defaults, enter the Initialize Server Factory 
command at the Local> prompt. 

To perform a TFTP boot, the unit IP and loadhost information will have to be re-entered. (If a BOOTP 
server will provide this information, this is not required.) Refer to your Installation Guide for instructions. 

2.4.3 Reloading Operational Software 

The unit stores its software in Flash ROM. The software controls the initialization process, the operation of 
the unit, and the processing of commands. The contents of Flash ROM can be updated by downloading a 
new version of the operational software. 

For instructions on reloading Flash ROM, refer to your Installation Guide. 

2.4.4 Editing Boot Parameters 

If the information that the unit uses at boot time changes, you will need to change the unit boot parameters. 
Boot parameters include the following: 

♦ Loadhost (TCP/IP) 

The loadhost is the host from which the unit operational software is downloaded at boot time. 

♦ Backup loadhost (optional) 

Software is downloaded from a backup loadhost when the primary loadhost is unavailable. 

♦ Software filename 

♦ RARP (may be enabled or disabled) 

♦ BOOTP (may be enabled or disabled) 

Boot parameters are edited using Set/Define Server commands such as Set/Define Server Loadhost. 

Server commands are discussed in Server Commands on page -101. 

Figure 2-2: Editing the Loadhost Address 

Local» DEFINE SERVER LOADHOST 192.0.1.8 



2.5 System Passwords 

The unit has both a privileged password and a login password. These passwords have default settings which 
should be changed as soon as possible. The following sections discuss each password in more detail. 
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2.5.1 Privileged Password 

Changing any server, site, or port setting requires privileged user status. You will need to use the Set 
Privileged command at the Local> prompt to become the privileged user. The default privileged password 
on the unit is system. 

Figure 2-3: Set Privileged Command 



Local> SET PRIVILEGED 
Password> system (not echoed) 
Local>> 



Note: The complete command syntax for Set Privileged is available on page -69. 

To change the privileged password, use theSet/Define Server Privileged Password command (discussed 
on page -108). Figure 2-4 displays an example of this command. 

Figure 2-4: Changing the Privileged Password 

Local> SET PRIVILEGED 
Password> system (not echoed) 

Local» SET SERVER PRIVILEGED PASSWORD hippo 
Local» DEFINE SERVER PRIVILEGED PASSWORD hippo 



Note: The privileged password is case-insensitive, so it does not need to be enclosed in 
quotes. 

2.5.2 Login Password 

Each port can be configured to require a login password when in character mode. Users will be prompted 
for this password when attempting to log into the port; the Local> prompt will not be displayed until the 
correct password is entered. The default login password is access. 

Note: When a port is in character mode, PPP and SLIP are not running. See Port 
Modes on page 7-3 for a complete description. 

To change the login password, use the Set/Define Server Login Password command. 

Figure 2-5: Defining the Login Password 



Local» DEFINE SERVER LOGIN PASSWORD badger 



Note: The login password is case-insensitive, so it does not need to be enclosed in 
quotes. 

To enable the use of the login password on the appropriate port(s), use the following command: 

Figure 2-6: Enabling the Login Password 



Local» DEFINE PORT 3 PASSWORD ENABLED 



Note: To enable the password on virtual ports, use the Set/Define Server Incoming 
command instead. 
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2.6 Basic Configuration 

The following sections discuss features that will identify and personalize each unit. Most of these 
features can be changed or updated periodically or on an ongoing basis. 

2.6.1 Changing the Server Name 

The unit is initially configured with a server name. However, you can give the server a custom name of up 
to 16 alphanumeric characters using the following command. 

Figure 2-7: Changing the Server Name 

Local» DEFINE SERVER NAME "CommServer " 



Note: The server name must be enclosed in quotes to preserve case. 

2.6.2 Changing the Local Prompt 

The prompt each user receives (usually the Local_x> prompt, where x is the port number) is configurable 
in a variety of ways. For a basic prompt, enter a string similar to the following. 

Figure 2-8: Configuring the Server Prompt 

Local> SET SERVER PROMPT "Server> " 
Server> 



For a customized prompt, optional key combinations can be added to the prompt string. See Set/Define 
Server Prompt on page -109 for more information. Placing a space after the end of the prompt is 
recommended to improve readability. 

Note: The remote console port prompt cannot be changed. 

Figure 2-9 displays a few examples of commands used to change prompts. In the examples, the first 
command line results in the prompt used in the second command line, and so on. 

Figure 2-9: Prompt Examples 

Local> SET SERVER PROMPT "Port %n: " 
Port 5: SET SERVER PROMPT "%D:%s: " 
SMC:LabServ: SET SERVER PROMPT "%p%s_%n%P%% " 
Port_5 [NoSession]_5>% 



2.6.3 Changing the Login Prompts 

When a user logs into the unit, he is prompted for a username, and sometimes a login password. By default, 
the prompts are Usernamo and Password;-. The prompts can be changed to be more like UNIX prompts 
(login: and Password:) with the following command. 

Figure 2-10: Configuring the Server Prompt 

I Local> SET SERVER ALTPROMPT ENABLED 
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2.6.4 Setting the Data and Time 

The unit can calculate and save the local time, coordinated Universal Time (UTC, also known as Greenwich 
Mean Time or GMT), standard and Daylight Savings timezones, and the corresponding number of hours 
difference between UTC and the set timezone. 

2.6.5 Setting the Clock 

Use the Set/Define Server Clock command at the Local> prompt. Time should be entered in hh:mm:ss 
"military format" as shown in the example below. 

Figure 2-11: Setting the Clock 

Local» SET SERVER CLOCK 14:15:00 12/01/2000 



2.6.6 Setting the Timezone 

The unit is configured to recognize a number of timezones. To display these timezones, use the Show 
Timezone command at the Local> prompt. Set the timezone by using the Set/Define Server Timezone 
command at the Local> prompt. 

Figure 2-12: Setting the Timezone 

Local> DEFINE SERVER TIMEZONE US/PACIFIC 

If your timezone is not displayed, you will need to set it manually. Use the following information to set the 
timezon: 

♦ A three-letter timezone appreviation; for example, PST 

♦ The number of hours offset from UTC (Greenwich Mean Time); for example, -9:00 

♦ The time, day, and amount of any time changes (for example, daylight savings time information) 

Note: Specifying time change information is optional. 
To set the timezone at the Local> prompt, refer to the following example. 

Figure 2-13: Manual Timezone Configuration 

Local» DEFINE SERVER TIMEZONE EST -3:00 EST 1 Mar Sun>=l 3:00 Oct lastSun 2:00 



In Figure 2-13, the first EST specifies that Eastern Standard Time will be used as the reference point. The 
second value, -3:00, indicates that this timezone is 3 hours behind Eastern Standard Time. 

The third and fourth values, EST and 1, specify that when a time change occurs the time will move forward 
one hour. The time change will occur in March, denoted by Mar. The date that the time change will occur 
will be the Sunday (Sun) greater than or equal to 1 (>=1), in other words, the first Sunday in the month. The 
3:00 specifies that the time change will occur at 3 o'clock. 
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The final three values of the command string represent the day and time when the time will revert to the 
original time, in other words, when the time change will be reversed. The Oct and lastSun indicate that the 
time will revert on the last Sunday in October. The time change will occur at 2:00. 

2.6.7 Configuring a Timeserver 

The unit regularly verifies and updates its setting with the designated timeserver. A timeserver is a host 
which provides time of day information for nodes on a network. 

To specify a timerserver or backup timeserver, use the Set/Define IP Timeserver command. 

Figure 2-14: Defining Timeservers 

I Local» DEFINE IP TIMESERVER 193.0.1.50 
Local» DEFINE IP SECONDARY TIMESERVER 193.0.1.51 



2.7 Configuration Files 

A configuration file is a series of unit commands used to automatically configure the server. A 
configuration file may be used by the system administrator when necessary or downloaded automatically 
every time the server boots. 

Using a configuration file can reduce the time required to configure the unit. Options that would need to be 
manually set using EZWebCon or using commands the Local> prompt can be automatically executed. 

2.7.1 Saving a Configuration File 

2.7.1.1 Using EZWebCon 

EzWebCon will examine the current configuration of your unit, translate this information into a series of 
commands, and save the commands in a file. This file may then be downloaded to configure the server. 
Refer to EzWebCon' s online help for more information. 

2.7.1.2 Without EzWebCon 

To create a configuration file without EzWebCon, each unit command will need to be manually entered in 
the file. Complete the instructions in the following sections. 

2.7.1.2.1 Creating the File 

On your host, enter a series of unit commands, one command per line. Privileged commands may be 
included; when the file is downloaded, the commands will be executed as if a privileged user was logged 
into the unit. 

Capitalization of commands is optional. If a string (such as a filename) is entered, it must be enclosed with 
quotes in order to preserve the case. To include a comment in the file, preface the line with a pound (#) 
character. These lines will be ignored. 
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If Define Server commands are included in the file, they will not take effect until the unit is rebooted. 
Define Port commands will not take effect until the specified ports are logged out. Define Site commands 
will take effect when the specified site is started. 

The configuration file must not contain any initialization commands (for example, Initialize or Crash). 
Because the file is read when the unit boots, a "reboot" command in the file would cause the unit to boot 
perpectually. You would then have to flush the NVR to correct the error. 

Testing the configuration file is strongly recommended. To test the file, use the Source command, discussed 
on page -116. 

An example of a configuration file is displayed below. 

Figure 2-15: Configuration File 



DEFINE PORT 2 SPEED 9600 
DEFINE PORT 2 PARITY NONE 

# The following commands set up the ports: 
DEFINE PORTS 2 ACCESS DYNAMIC 



2.7.2 Using a ConfigurationFile 

A configuration file can be downloaded from a TCP/IP host (via TFTP). Ensure that TFTP downloading is 
enabled on your host and place the configuration file in a download directory. 

To configure the unit using the commands in a configuration file, use the Source command, discussed on 
page -116. 

If the configuration file must be downloaded each time the unit boots, the filename must be specified using 
the Set/Define Server Startupfile command, a TCP/IP filename must be specified in host:filename 

format, where host is an IP address. 

Note: If lower-case or non-alphabetical characters are used, the filename must be 
enclosed in quotes. 

For example, to download the file config.sys from TCP/IP host 192.0.1.110, use the following command: 

Figure 2-16: Downloading From a TCP/IP Host 

Looal» DEFINE SERVER STARTUP "192 . 0 . 1 . 110 : conf ig. sys" 



If the unit has a nameserver defined, a text name may be specified as a TCP/IP host name. The unit will 
attempt to resolve the name at boot time; if it cannot resolve the name, the download will fail. To designate 
a nameserver, see Set/Define IP Nameserver on page -24. 

Note: The unit is not usable during download attempts. 
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During its boot sequence, the unit will load its operational code first, then attempt to download the 
configuration file. If the attempt to download the configuration file is unsucessful, the unit may re-attempt 
the download. By default, the unit will make a total of six attempts to download the file (one initial attempt 
and five re-attempts). To change this setting, use the Set/Define Server Startupfile Retry command. 

Figure 2-17: Setting Number of Download Attempts 

Local» DEFINE SERVER STARTUPFILE "TROUT\SYS : \LOGIN\conf ig . sys " RETRY 10 



If Retry is set to zero, the unit can no longer be used; it will wait indefinitely for the configuration file to 
download. 
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The unit connects to remote nodes or networks using serial network links, which allow network traffic to 
flow through ordinary modems. This chapter discusses initiation, maintenance, and disconnection of these 
remote connections. 

After completing this chapter, you should be able to configure the unit to support the following types of 
connections: 

♦ Incoming remote node 

♦ Incoming character, PPP, and SLIP modes in a secure manner 

♦ Basic outgoing LAN to LAN using PPP 

The functionality described in this chapter may not meet all of your performance or network security needs. 
If your network requires more complex configuration, or if you are not using modems, refer to Chapter 4, 
Additional Remote Networking, for additional configuration instructions. 

3,1 Connection Types 

The unit enables two types of remote networking connections: LAN to LAN and remote node. 

3.1.1 LAN to LAN 

In LAN to LAN connections, the unit provides a link between two networks. The unit will communicate 
with a remote router, which may be another access server, a UNIX machine capable of PPP routing, or 
another unit. The unit may be connected to the remote router with temporary "dial on demand" connections 
such as ordinary dialup modems. The unit may also be permanently connected to the remote router with 
leased lines, a statistical multiplexor, or a direct serial connection. 

LAN to LAN connections are often used to connect two locations that do not always need to be connected. 
For example, a small remote office with only a few nodes and a central office might need to be connected 
occasionally, however, the amount of traffic wouldn't warrant using a leased linefor the connection. Using 
an unit and dialup modems, the connection would come up and go down when required, simulating a 
permanent connection between the two locations. 

3.1.2 Remote Node 

A remote node connection enables a single remote node (such as a PC) to use a network's services. For 
example, a laptop user on a business trip may wish to access files from a network's file server. Using a 
modem, the laptop could dial the unit, form a connection, and download the files as ifthe laptop were 
directly connected to that network. 

The unit cannot initiate connections to remote nodes. Remote nodes must call the unit when they wish to 
communicate with the network. 
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3.2 Managing Connections With Sites 

A site represents a remote physical location, such as a remote router or a remote node. Sites are referenced 
by a name, such as Seattle. The site's name should indicate the physical location of the remote device, a 
group of remote node users, or a particular remote node user. 

Note: Using sites for connections enables each connection to have different 

characteristics; connections aren't limited solely to the characteristics of the 
ports used. 

Sites serve four purposes: 

1 To configure the unit and the remote router appropriately for a connection. For example, particular 
unit ports may be assigned for use with the connection. 

2 To enforce specific network requirements. For example, compression may be required for all 
connections. 

3 To manage a connection once it is in place. For example, it may be desirable to control the amount of 
bandwidth used for a connection. 

4 To enable a system administrator to monitor a single connection. For example, a system administrator 
may wish to restrict remote node users to a particular range of IP addresses. 

Every incoming and outgoing networking connection has a site associated with it. To create and edit sites, 
see Creating a New Site on page 3-2. 

The type of authentication used determines which sites will be used. For more information, see Incoming 
Connections on page 3-8 and Outgoing Connections on page 3-13. 

The Define Site commands are used to create new sites and edit existing sites. The Show/Monitor/List 
Sites commands are used to get information about existing sites. 

These commands require privileged access, which is denoted in the following examples with the Local» 
prompt. For information on obtaining privileged access, see Set Privileged/Noprivileged on page -69. 

3.2.1 Creating a New Site 

To create a new site, assign a name using the following command. 

Figure 3-1 : Creating a New Site 

I Local» DEFINE SITE IRVINE 



The site you just created will use a "factory default" configuration (see Table 3-1 on page 3-3). Those 
settings can be changed to meet your needs. 
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3.2.1 .1 Default Site Configuration 

The default site configuration is used for all temporary sites and is automatically assigned to any new site 
created with the Define Site command. To display the default configuration, use the following command: 

Figure 3-2: Displaying Default Sites 

Local» LIST SITE DEFAULT 

The following table lists the default site configuration. 

Table 3-1 : Default Site Configuration 



Characteristic 


Configuration in Default Site 


CHAP authentication on outgoing calls 


Disabled 


PAP authentication on outgoing calls 


Disabled 


Remote password 


None configured 


Local password 


None configured 


Username 


None configured 


Chat script entries 


None 


IP compression 


Enabled 


IP packet forwarding 


Enabled 


Maximum idle time 


10:00 (10 minutes) 


Remote host's IP configuration 


Undefined 


IP compression slots 


16 


Maximum packet size (MTU): PPP 


1522 


Ports defined 


None 


PPP 


Enabled 


SLIP 


Disabled 


Telephone number of remote site 


None defined 


Outgoing packet filter 


None defined 


Incoming packet filter 


None defined 


Idle time filter 


None defined 


Startup filter 


None defined 


Maximum packet size (MTU): SLIP 


1500 


Maximum session time 


Disabled 



3.2.2 Displaying Existing Sites 

To display currently active sites, use the Show Site command. To display all defined sites, use the List Site 
command. 
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To display specific information about sites, the following parameters may be used in conjunction with Show 
Site and List Site: IP, Ports, Counters, and Status. For example, to display the IP configuration of site irvine, 
use the following command: 

Figure 3-3: Displaying a Site's IP Configuration 

Local» LIST SITE IRVINE IP 



Note: The List Site command is used in Figure 3-3 because site irvine isn't currently 
running. 

3.2.3 Editing Sites 

All site characteristics can be edited with the Define Site commands. For example, a site's authentication 
can be edited with the command below. 

Figure 3-4: Editing Site Characteristics 

| Local» DEFINE SITE irvine AUTHENTICATION PAP DISABLED 

Note: Site Commands are discussed on page -117. 
Currently active sites can be edited, but changes will not take effect until the site is logged out. 

3.2.4 Testing Sites 

The Test Site command causes a site to start as if outgoing traffic for the site had come into the unit. It 
allows users to test sites without having to generate packet traffic. To test a site, enter a command similar 
to the following. 

Figure 3-5: Testing a Site 

I Local» TEST SITE irvine 



The terminal will display a message that the specified site has started. To stop the test, enter the Logout Site 
command followed by the site name. 

In the event that there is a problem with the site, or the Test Site command does not work, the unit site 
logging feature may be useful. See Set/Define Logging Site on page -155 and Show/Monitor/List Logging 
Site on page -160 for more information. 

3.2.5 Deleting Sites 

To delete a site, use the Purge Site command. 

Figure 3-6: Deleting a Site 

Local» PURGE SITE irvine 
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When the Purge command is used with the default site, the site's default configuration will be restored, any 
editing changes you've made to the default site will be removed. 

Figure 3-7: Restoring Default Site Configuration 

I Local» PURGE SITE DEFAULT 



3.2.6 Using Sites for Incoming Connections 

Incoming connections, both remote node and LAN to LAN, can use either custom sites, or temporary sites 
which use the default site's configuration. 

Custom sites allow the most flexibility in the control and configuration of incoming connections. They are 
used when a specific configuration is required for the incoming router or remote node, and should be named 
for the location or user that is calling the unit. Custom sites are required for Dialback and recommended for 
incoming LAN to LAN connections. 

If a group of incoming connections can use the same configuration, they can be allocated temporary sites 
used only forthat session to save time and system resources. Each temporary site takes its configuration 
from the unit default site. The default site may be customized in the same manner as custom (named) sites; 
this customized configuration can then be shared with many remote routers and remote nodes. 

Note: The default site configuration is listed in Table 3-1 on page 3-3. 

When an incoming caller is allocated a temporary site, the name of the site is based on the port receiving 
the call. For example, an incoming call to port 3 may be allocated a temporary site named Port3. 

3.2.7 Using Sites for Outgoing Connections 

Note: The unit does not support outgoing remote node connections. 

A site must be configured for each outgoing LAN to LAN connection. This site controls when and how the 
unit will call the remote location, what protocols to use, and when to terminate the connection. 

Outgoing sites are typically named for the remote router that the unit will call; for example, if a site is used 
for outgoing connections to a remote router in Dallas, the site used forthe connection might be named 
dallas. This site could also be used for incoming calls; if the router in Dallas needed to call the first unit, it 
could use dallas to make the connection. 



3.3 IP Address Assignment 

By default, sites use "unnumbered" interfaces for IP. The IP address of the Ethernet connected to the unit 
will be used as the IP address on all unit serial ports. This reduces the amount of configured configuration 
and eliminates the need to allocate a separate IP network for each port. 

When the unit receives an incoming connection request (remote node or LAN to LAN), an IP address is 
negotiated for the caller. The address agreed upon depends on the caller's requirements; some don't have a 
specific address requirement, while others must use the same IP address each time they log into the unit. 

Note: PPP negotiation is covered in Chapter 6, PPP. 
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For a complete discussion of IP address assignment (including configuration instructions), see IP Addresses 
on page 5-1. 

3.4 IP Routing 

The following sections discuss IP routing issues as they pertain to remote networking. For a complete 
discussion of IP routing, refer to Chapter 5, IP. 

When a packet is received from or generated for a remote network, the unit will check its routing table to 
determine the most efficient route to the destination. If the unit does not have a route to a remote network, 
it cannot send the packet to the destination. 

The entries in the routing table are on of three types: 

1 Local routes 

The network that is directly attached. This route is automatically determined from the unit IP address 
and network mask, and is never deleted. 

2 Static routes 

Routes that were manually entered in the routing table by a system administrator. These routes are 
used when the dynamic routes cannot be. 

3 Dynamic routes 

Routes learned through the receipt of RIP (Routing Information Protocol) packets. 

Each routing entry can point to another router on the Ethernet or to a site configured for LAN to LAN 
connections. 

3.4.1 Routes for Outgoing LAN to LAN 

Generally, the unit has static routes configured for each remote LAN that it will connect to. These routes 
point to sites that are configured for outgoing LAN to LAN connections. The first time that the unit needs 
to send a packet destined for a network on a remote LAN, the site will be activated and the unit will attempt 
to call the remote router. Once the connection has been formed, subsequent packets for the remote LAN will 
be forwarded over that link. 

While the unit is connected to the remote router, it may learn additional dynamic routes from that remote 
router. Once these additional routes are entered into the routing table, packets may be routed to these new 
networks as well. Once the connection is dropped, the unit can be configured to maintain these routes. 
Subsequent traffic to these dynamically learned networks or to the pre-existing static rout networks will 
cause the site to form a new connection. 
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If the unit is a stub router (or you're using the unit to connect to the Internet), default routes can be used 
to reduce configuration time. A stub router connects a LAN without any routers to a larger LAN. For 
example, in a remote office with no other outside connections, an unit that connects to exactly one other 
(larger) location is a stub router. All traffic generated on the remote office's LAN that is destined for the 
remote location must pass through the unit. A default route pointing to the larger site may be entered on the 
unit. 

Note: Default routes should be used with caution. See Chapter 5, IP for complete 
details. 

3.4.2 Routes for Incoming LAN to LAN 

If RIP is being used, no static routing entries need to be configured on the unit. Routes to networks on the 
remote LAN will be learned automatically. 

Note: RIP is enabled by default. 

If RIP is not being used, the unit must have a specific site configured for this incoming connection. The 
remote router must use this site when it connects to the unit. The site may be started in one of two ways: 
through the authentication sequence (which requires that authentication be appropriately configured), or 
with the Set PPP <sitename> command. Static routes pointing to the site must be configured for each of 
the incoming caller's IP networks. 

Note: To configure authentication, see Configuring Incoming Connections on page 3- 
11 or Chapter 10, Security. 

3.4.3 Routes for Remote Node 

The unit automatically generates routes for remote nodes when the node connects. These routes are deleted 
when the connection is terminated. 

If the remote node receives a dynamic address from the unit IP address pool, a host route is entered for that 
address. If proxy ARPing is enabled (see Proxy ARP on page 5-17), the unit will proxy-ARP for the address. 
See Types of Routes on page 5-15 for more information. 

If a remote node uses an IP address that is not on the Ethernet's IP network, then the unit will enter a network 
route for that node. For example, if the unit' s Ethernet IP address is 192.0. 1 .4, and a node selects the address 
192.0.2.6, the unit will enter a route to 192.0.2.0 in its routing table. 

Remote nodes do not have to make routing decisions, as they can only send network packets to the unit. 
Therefore, most remote nodes do not need to receive RIP packets. Sites that only support remote nodes may 
turn off RIP to reduce traffic on the connection. 

Figure 3-8: Disabling RIP Packets 



Local» DEFINE SITE IP RIP DISABLED 



Note: For more information about disabling RIP, see Define Site IP on page -125. 
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3.5 Incoming Connections 

The unit uses asynchronous serial lines to connect remote locations. A protocol is then run on this serial 
connnection to allow network packets to be sent. 

The unit supports the use of PPP and SLIP to send network packets. 

PPP PPP is the Point to Point protocol. Its use is recommended whenever possible. 

PPP enables devices to simultaneously transport IP packets, negotiate certain 
options, authenticate users, and use checksums with virtually no performance 
loss. 

SLIP SLIP is the Serial Line Internet Protocol. It is supported primarily for 

backwards compatibility with equipment that does not support PPP. SLIP can 
only transport IP packets — it does not support negotiation of IP address or 
other options, nor does it provide any diagnostic facilities. 

To enable PPP and/or SLIP (they are both disabled by default), use the Define Ports PPP and Define Ports 

SLIP commands. For more information on these commands, see Port Modes on page 7-3. 



Figure 3-9: Enabling PPP and SLIP on a Port 



Local>> 


DEFINE 


PORT 


2 


PPP ENABLED 


Local>> 


DEFINE 


PORT 


2 


SLIP ENABLED 



3.5.1 Starting PPP/Slip for Incoming Connections 

When you initiate an incoming LAN to LAN or remote node connection, you can start PPP or SLIP one of 
several ways: 

♦ The caller may be presented with a Local> prompt (the port will be in character mode), requiring him 
to enter commands in order to run PPP or SLIP. 

Note: For a description of the port modes, see Port Modes on page 7-3. 

♦ The port may detect when a PPP or SLIP packet is received and automatically run the appropriate 
protocol. 

♦ The port may be dedicated to PPP or SLIP; the protocol will automatically run when any character is 
received. 

A port may be configured to offer a combination of these methods, giving the incoming remote node or 
router flexibility inhow the connection is started. 

To configure the unit for incoming LAN to LAN and remote node connections, see Configuring Incoming 
Connections on page 3-11. 
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3.5.1 .1 Starting PPP or SLIP from the Local> Prompt 

The Set PPP and Set SLIP commands may be entered from the Local> prompt. The remote router or node 
must pass through the authentication procedures, if enabled, on the port in character mode. The remote 
device must support chat scripts or must rely on a user to enter the required information and type Set PPP 
or Set SLIP at the Local> prompt. 

Note: For a complete description of authentication, refer to Chapter 10, Security. For 
information on chat scripts, see Chat Scripts on page 4-5. 

If no site name is given in the Set PPP or Set SLIP command, a temporary copy of the default site will be 
started. If a custom site is to be started, it can be specified as a string: Set PPP <sitename>. 

Note : To prevent users from starting inappropriate sites, users can be promptedfor the 
site 's local password. 

To use the Set PPP/Set SLIP commands, PPP and/or SLIP must be enabled on the port used for the 
connection. See Incoming Connections on page 3-8. 

3.5.1 .2 Starting PPP or SLIP with Automatic Protocol Detection 

Automatic Protocol Detection allows the unit to determine which type of connection the remote device is 
attempting to establish. By detecting which protocol is to be run on each connection, a port can support 
character mode (Local> prompt) connections, PPP connections, and SLIP connections without 
reconfiguration. One modem pool can support all incoming connections; there is no need to dedicate ports 
to remote networking. 

Note: To configure autodetection, see Chapter 7, Ports. 

By default, the unit detects character mode by looking for the return character. If PPP detect is enabled on 
the port, and a PPP packet is detected, PPP will be started with a temporary copy of the default site. 

A customsite can also be run by enabling PPP authentication on the port. If the remote device sends a valid 
username and password and the username matches a site name, that site will start running on the port. All 
further configuration of the connection will be fromthis new site. 

If PPP authentication is not enabled on this port, there is a security risk. Unauthorized users may gain 
access to your network. Use dedicated PPP mode with PPP authentication (CHAP or PAP) wherever 
possible. If PPP authentication is not possible, use port authentication and the Set PPP command to 
authenticate incoming calls. 

Note: To configure PPP authentication, see Chapter 10, Security. 

If SLIP detect is enabled on the port, and a SLIP packet is detected, SLIP will be started. SLIP does not 
support authentication. Incoming connections to a port in dedicated SLIP mode cannot be authenticated. 
This is a security risk in most situations. Unauthorized users may gain access to your network. Use 
this mode with caution. 

Custom sites cannot be run when using dedicated SLIP as there is no method to switch sites once the 
temporary site is running. Start SLIP with the Set Slip command to allow custom sites and to authenticate 
incoming calls. 
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3.5.1 .3 Starting PPP or SLIP on a Dedicated Port 

A port may be dedicated to PPP or SLIP mode. Whenever the port receives a character, it starts up a 
temporary copy of the default site using the appropriate link layer. The port cannot be used for character 
mode connections and the Local> prompt cannot be reached. 

To dedicate a port, see Dedicated Protocols on page 7-9. 

Once PPP or SLIP is running, the behavior of a dedicated port is the same as a port with automatic protocol 
detection enabled. See Starting PPP or SLIP with Automatic Protocol Detection on page 3-9 for 
information about security issues. 

3.5.2 Incoming Connection Sequence 

The following steps detail the events that occur when the unit receives an incoming call. 

3.5.2.1 Ports Using Automatic Protocol Detection 

If the port receiving the call is using automatic protocol detection, or is dedicated to SLIP or PPP, the 
following sequence of events will take place. 

1 If automatic protocol detection (for PPP, SLIP, or both) is enabled, the link layer will start up 
automatically when a PPP or SLIP character is received from the incoming call. If the port is 
dedicated, the link layer will start upon the receipt of any character. 

2 The caller will be attached to a temporary site. The name of this site will be based on the port number 
used. For example, an incoming call to port number 6 will generate a temporary site named Port6. 

A If using SLIP, callers will continue to use the temporary site for the remainder of the connection. 

B If using PPP, the following steps will occur. 

1 If the unit port receiving the call has been configured to authenticate remote hosts using 
CHAP or PAP, CHAP/PAP will request a username and password from the remote host. If 
the remote host has been configured to send a username and password, it will send the pair to 
the unit. 

2 The username and password will be compared to existing site names. One of the following 
will occur. 

a If the username matches the name of a site, the site will be checked to see if it has a local 
password. If it does, this will be compared to the password entered by the caller. If the 
passwords match, the user will begin using the custom site; the temporary site will stop 
running. 

b If a site isn't configured with a password, or the password entered by the caller doesn't 
match the site password, the username/password pair will be compared to any 
authentication databases. One of two outcomes is possible. 

If a match is found, the connection will be successfully authenticated, and the caller will 
continue using the temporary site for the remainder of the connection. If a match is not 
found, the connection attempt will fail. 
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3.5.2.2 Ports Not Using Automatic Protocol Detection 

If an incoming call is received on an unit port that's not configured to automatically run PPP or SLIP, the 
following login sequence will occur. 

1 The caller sends a carriage return. 

2 If the port is configured to prompt for a login password, the caller must enter the correct login 
password to continue. If the port is configured to prompt for a username, the caller must then enter a 
username. If the port is configured for authentication, the caller will need to enter a valid password 
for the username. 

3 To start the link layer, the user will need to enter commands to start PPP or SLIP. One of two scenarios 
will occur. 

A If the caller specifies a site to be started when PPP or SLIP is started, the user will be attached to 
this site. If the site has been configured to prompt for its local password, the user will have to enter 
the site's local password. At this point, the caller would be unable to run another site. 

B If a site isn't specified, the user will be attached to a temporary site. The name of this site will be 
based on the port number used. For example, an incoming call to port number 6 will generate a 
temporary site named Port6. This site will be used for the remainder of the call. 

Note : Incoming LAN to LAN connections will need to enter commands via a chat script. 
See Chat Scripts on page 4-5. 

3.5.3 Configuring Incoming Connections 

Configuring the unit for LAN to LAN and remote node networking involves the following steps. 

1 Configure the Ports 

Port configuration for incoming connections involves a number of factors: whether PPP or SLIP will 
be used, whether the ports will be dedicated to PPP or SLIP, whether autodetection of PPP or SLIP 
will be used, and, if a modem is attached it any of the ports, how it will be configured. 

To configure a port's use of PPP or SLIP, see Chapter 7. To configure modems, see Chapter 8. 

2 Create the Sites 

If users will be starting up custom sites (by entering a username that matches an existing site name), 
those sites must be created. See Creating a New Site on page 3-2 for instructions. 

3 Configure Authentication 

Two types of authentication can be configured: use of the server login password, and username 
password pairs for individual users. 

A Login Password 

In order to use a login password, a port must be in character mode. See Chapter 7, Ports, to 
configure a port's use of modes. 
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Determine a login password and set the password using the Set/Define Server Login Password 
command. Then enable the use of the login password on the appropriate port(s) using the Set/ 
Define Ports Password command. 

Figure 3-10: Defining the Login Password 



Local» DEFINE SERVER LOGIN PASSWORD badger 
Local» DEFINE PORT 3 PASSWORD ENABLED 



Note: Passwords are case-independent, even when enclosed in quotes. 

By default, incoming Telnet and Rlogin connections are not required to enter the login password. 
To require the login password, use the Set/Define Server Incoming command, described on page 
-105. 

B Username/Password Authentication 

Enable authentication on the appropriate ports. 

Figure 3-1 1 : Enabling Authentication 

Local» DEFINE PORT 2 AUTHENTICATE ENABLED 



If authentication should be performed before PPP or SLIP is running (while the port is still in 
character mode), ensure that autodetection of PPP and SLIP is disabled (see Figure 3-12). If the 
port automatically detects and runs PPP or SLIp, there will be no way to authenticate the user 
because the lcoal prompt cannot be accessed. 

Keep in mind that PPPdetect and SLIPdetect will only need to be disabled on ports that have PPP 
and/or SLIP enabled. 



Figure 3-12: Disabling Autodetection of PPP and SLIP 



Local>> 


DEFINE 


PORT 


2 


PPPDETECT DISABLED 


Local>> 


DEFINE 


PORT 


2 


SLIPDETECT DISABLED 



In order for SLIP users to perform authentication, SLIPdetect must be disabled. SLIP users will 
only be able to authenticate incoming connections while the port is in character mode; once the 
port is running SLIP (for example, if the port is dedicated to SLIP using the Set/Define Port SLIP 
Dedicated command), authentication cannot be performed. 

If the port is configured to automatically run PPP, and you'd like to use CHAP or PAP to obtain 
a username and password from the incoming caller, enable remote CHAP and/or PAP 
authentication on the desired port. 



Figure 3-13: Enabling CHAP Authentication 



Local>> 


DEFINE 


PORT 


2 


PPP 


CHAP REMOTE 


Local>> 


DEFINE 


PORT 


2 


PPP 


PAP REMOTE 



Note: CHAP and PAP may both be enabled on the same port. 
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If incoming connections will be entering usernames to start a custom site, ensure that the site has 
a local password. Callers will be required to enter this password in order to start the site. 

Figure 3-14: Configuring a Site's Local Password 

I Local» DEFINE SITE irvine AUTHENTICATION LOCAL "gorilla" 



Configure any databases that will be used for authentication and add the appropriate usernames 
and passwords. See Chapter 10, Security, for configuration instructions. 

3.6 Outgoing Connections 

Note: The unit does not support outgoing remote node connections. 

When the unit receives a packet, it consults its routing table to deteremine the best route to the packet' s 
destination. If the specified route points to a site, a connection to the site may be initiated. The connection 
will be subject to any restrictions defined for the site, such as a startup filter or time of day restrictions. 

When a connection to the remote router is intiated, a limited number of packets will be buffered until the 
connection is formed. When the connection is successful, the packets will be sent. 

Note: To restrict outgoing connections, see Chapter 10, Security. 

3.6.1 Ports 

Each site must specify which unit port(s) may be used for outgoing connections. More than one port may 
be specified; for example, site dallas might specify that port 2 or port 3 could be used for outgoing 
connections. 

When the unit attempts to make a connection to a site, it will attempt to use one of the specified ports. If the 
port is busy (in use with another connection), it will attempt to make a connection using another specified 
port. The unit uses the port priority setting to determine which ports to try and in what order. In the following 
example, site dallas will try port 2 first, then port 3. 



Figure 3-15: Port Priority for Sites 



Local>> 


DEFINE 


SITE 


dallas 


PORT 


2 


PRIORITY 


1 


Local>> 


DEFINE 


SITE 


dallas 


PORT 


3 


PRIORITY 


2 



If all ports are busy, the unit will time out the site for a few minutes and then try again. The connection 
timeout between call attempts is user configurable. See Define Site Time Failure on page -131. 

More than one site may specify a particular port. For example, site dallas and site Seattle may specify that 
port 3 may be used for connections. If site dallas is using port 3 at a certain time and site Seattle is started, 
Seattle will attempt a connection using another specified port. If no other port is specified for site Seattle, it 
will wait until port 3 becomes available. 

Note: To learn how incoming calls use ports and sites, see Starting PPP/Slip for 
Incoming Connections on page 3-8. 
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3.6.2 Telephone Numbers 

Each site may specify one port-independent telephone number and one or more port-specific telephone 
numbers. A port-independent telephone number is typically used if all ports are configured to call the same 
number; for example, if the ports are calling a telephone hunt group. Port-independent telephone numbers 
should be used whenever possible; this frees a site to dial the remote site's number from any of the ports the 
site is associated with. 

Port-specific telephone numbers are used when a particular unit port should call a specific number at the 
remote site. These numbers will override a port-independent telephone number. For example, in order to get 
the most efficient use out of connected modems, a site might specify that when port 2 (connected to a high 
speed modem) is used, another high speed modem should be dialed. When port 3 (connected to a slow speed 
modem) is used, the unit should dial another slow speed modem. 

If a site does not have a telephone number defined, the unit assumes either that there's a direct connection 
between the unit and the remote host, or that a chat script (see Chapter 4, Additional Remote Networking) 
will be used to communicate with the remote host. 

3.6.3 Authentication 

The remote site may require that the unit authenticate itself by sending a username and password. The 
username that the unit sends is (by default) the site name. To send a different username, use the Define Site 
Authentication Username command, described on page -117. 

The password sent is a site-specific password called the remote password. The remote password is used 
only for outgoing connections, and must be sent via PPP. See Configure Authentication on page 3-16for 
configuration instrutions. 

SLIP does not support authentication. To perform authentication, SLIP users must use chat scripts. See 
Chat Scripts on page 4-5 for more information. 

3.6.4 Configuring Outgoing Connections 

To configure the unit for outgoing connections, complete the steps in the following sections. 

3.6.4.1 Configure Ports 

All ports that will support outgoing connections must beconfigured for dynamic connections. Use the 
following command. 

Figure 3-16: Permitting Outgoing Connections 

Local» DEFINE PORT 2 ACCESS DYNAMIC 



Note: For more information on port configuration, see Chapter 7, Ports. 
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3.6.4.2 Configure Modems 

Enable modem operation on the port(s) used for outgoing calls. Then assign a modem profile to the port 
using the Define Ports Modem Type command. 

Figure 3-17: Enabling Modem Operation 



Local>> 


DEFINE 


PORT 


2 


MODEM 


ENABLED 


Local>> 


DEFINE 


PORT 


2 


MODEM 


TYPE 5 



Note: A modem provile automatically sets up a port for a specific type of modem. 

Define Ports Modem Type is listed on page -91. Modem profiles and complete 
modem configuration instructions are discussed in Chapter 8, Modems. 

3.6.4.3 Create a Site 

Every outgoing connection must use a site. Each site is initially created with a default set of configurations. 
To display the current configuration, use the List Site command. 

Figure 3-18: Listing a Site's Configuration 



Local» LIST SITE irvine PORTS 



Note: To create a site, see Creating a New Site on page 3-2. 

List Site can be used with a number of parameters, which display different aspects of a site's configuration. 
For example, List Site Ports will display all ports associated with the site. 

3.6.4.4 Select Port(s) to Use for Dialing Out 

Once a site is created, the port(s) that it will use to dial the remote location must be defined. Each site must 
be associated with at least one port. Use the following command: 

Figure 3-19: Associating a Site With a Port 

| Local» DEFINE SITE irvine PORT 2 

3.6.4.5 Assign a Telephone Number to the Port or Site 

If the site will be used with modems, at least one telephone number must be specified so that the site can 
dial a remote host. The number may be assigned specifically for use with a particular port, or for use with 
any port. To assign a port-specific telephone number, use the Define Site Port Telephone command. 

Figure 3-20: Assigning a Port Telephone Number 



Local» DEFINE SITE irvine PORT 2 TELEPHONE 547-954 9 



To assign a telephone number to the site that may be used with any port, use the Define Site Telephone 
command. 

Figure 3-21 : Assigning a Site Telephone Number 



Local» DEFINE SITE irvine TELEPHONE 867-5309 
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A port-specific telephone number will override a site telephone number. For example, site irvine may be 
confugred to use the number 635-9202 on any port it's using, but only the number 845-7000 when it's using 
port 3. 

3.6.4.6 Configure Authentication 

When an outgoing connection is attempted, the remote router may or may not require the unit to authenticate 
itself. One of the following scenarios will generally apply: 

♦ The remote router uses CHAP or PAP to prompt the unit to authenticate itself 

This scenario isthe most common; the configuration instructions in this section assume that CHAP or 
PAP will be used. 

♦ The remote router requires a login password 

In this case, the unit will need to use a chat script to communicate the password to the remote router. 
See Chapter 4, Additional Remote Networking, for instructions. 

♦ The remote router does not require authentication 

The instructions in this section will not be necessary. Continue to Configure Routing on page 3-16. 

Before configuring authentication, ensure that you have the username and password required to log into the 
remote router. In addition, determine whether the remote router will use PAP or CHAP to transmit the 
username and password. 

Configure the username and remote password to be transmitted. 



Figure 3-22: Defining Local Username and Password 



Local>> 


DEFINE 


SITE 


irvine AUTHENTICATION 


USERNAME "doc_server" 


Local>> 


DEFINE 


SITE 


irvine AUTHENTICATION 


REMOTE "giraffe" 



If CHAP will be used, enable CHAP on the site. To use PAP to transmit the username and pasword, enable 
PAP on the site. 

Figure 3-23: Enabling CHAP/PAP Authentication 



Local» DEFINE SITE irvine AUTHENTICATION CHAP ENABLED 
Local» DEFINE SITE irvine AUTHENTICATION PAP ENABLED 



3.6.4.7 Configure Routing 

Static routes to the site must be entered in the IP routing tables. To configure IP routing, see Chapter 5, IP. 
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3.7 Monitoring Networking Activity 

To monitor current remote networking activity, use the Show Site or Monitor Site command. Show Site 
enables you to display the activity associated with a particular site, including the number of packets received 
and transferred, idle time, current state of the site's ports, and configuration of its associated protocols (for 
example, IP). Monitor Site will udpate and redisplay this information at three-second intervals. 



Table 3-2: Show/Monitor Site Commands 



Commands 


Description 


Show/Monitor Sites 


Lists currently running sites. 


Show/Monitor Site <sitename> 


Displays the site's configuration. 


Show/Monitor Site <sitename> Counters 


Displays the site's current performance. 


Show/Monitor Site <sitename> Status 


Shows all sites that have attempted or 
completed connections. 


Show/Monitor Site <sitename> All 


Shows cumulative statistics for this site. 
Statistics are reset upon boot. 



During active connections, Show/Monitor Site commands will display the current state of the site or of its 
assigned ports. The state of the port or site depends on the activity taking place. For example, a port may be 
in an idle state, then transition to an on-line state when it begins transferring packets. The possible site states 
are listed in Table 3-3. 



Table 3-3: Site States 



Site State 


Activity During State 


Idle 


The site is idle. 


Startup 


A user, PPP or SLIP, requested that the site start running. 


Waiting 


The site is waiting for a port to connect. 


Connect 


The site is connected and passing packet traffic. 


Logout 


The site was instructed to shut down. 


Closing 


The site is shutting down PPP or SLIP. 


Freeing 


The site is removing itself from memory. 


NVR 


A List Site command was used to display site information. 
The site's configuration is displayed, not its current activity. 
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The possible port states of ports assigned to the sites are listed in Table 3-4 

Table 3-4: State of Ports Assigned to a Site 



Port State 


Activity During State 


Idle 


The site is not currently using this port. The port may be in 
use hv other sites 


Dial 


The remote modem is being dialed. 


Chat 


The chat script defined in the site is being executed. See 
Chapter 4, Additional Remote Networking, for a definition 
of chat scripts. 


Link 


PPP is being negotiated with the remote router or remote 
node. (This state does not apply to SLIP users.) 


Ready 


PPP negotiation has been completed. (This state does not 
apply to SLIP users). 


Online 


Traffic is being forwarded to the remote site. 



3.8 Examples 

3.8.1 LAN to LAN - Calling one Direction Only 

An unit in a remote office in Dallas must call an unit at the company headquarters in Seattle. This LAN to 
LAN connection must meet the following criteria: 

♦ IP users in a remote office in Dallas must connect to IP network 192.0.1.0, which is located at the 
company headquarters in Seattle. 

♦ The unit in Seattle never calls Dallas. 

♦ The unit in Seattle must support character mode users as well as the unit in Dallas. 

♦ After 60 seconds of idle time, the connection between Dallas and Seattle should be timed out. 
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This unit must be configured for outgoing LAN to LAN connections. 



Figure 3-24: Dallas unit Configuration 



Local» 


DEFINE 


PORT 


2 ACCESS DYNAMIC 


Local» 


DEFINE 


PORT 


2 MODEM ENABLED 


Local» 


LIST MODEM 




Local» 


DEFINE 


PORT 


2 MODEM TYPE 1 


Local» 


DEFINE 


PORT 


2 MODEM SPEAKER DISABLED 


Local» 


DEFINE 


PORT 


2 AUTHENTICATE ENABLED 


Local» 








Local» 


DEFINE 


SITE 


SEATTLE AUTHENTICATION USERNAME "dallas" 


Local» 


DEFINE 


SITE 


SEATTLE AUTHENTICATION REMOTE "xyz" 


Local» 


DEFINE 


SITE 


SEATTLE AUTHENTICATION CHAP ENABLED 


Local» 


DEFINE 


SITE 


SEATTLE IDLE 60 


Local» 


DEFINE 


SITE 


SEATTLE PORT 2 


Local» 


DEFINE 


SITE 


SEATTLE TELEPHONE 2065551234 


Local» 








Local» 


DEFINE 


IP ROUTE 192.0.1.0 SITE SEATTLE 2 


Local» 








Local» 


INITIALIZE SERVER DELAY 0 



The Initialize Server Delay 0 command will reboot the unit; when the unit has rebooted, changes made 
with the Define commands will be in effect. 

This unit must then be configured using the following commands: 



Figure 3-25: Seattle unit Configuration 



Local>> 


DEFINE 


PORT 


2 


MODEM ENABLED 


Local>> 


LIST MODEM 






Local>> 


DEFINE 


PORT 


2 


MODEM TYPE 1 


Local>> 


DEFINE 


PORT 


2 


MODEM SPEAKER DISABLED 


Local>> 


DEFINE 


PORT 


2 


AUTHENTICATE ENABLED 


Local>> 


DEFINE 


PORT 


2 


PPPDETECT ENABLED 


Local>> 


DEFINE 


PORT 


2 


PPP CHAP REMOTE 


Local>> 


DEFINE 


PORT 


2 


AUTHENTICATE ENABLED 


Local>> 


LOGOUT 


PORT 


2 




Local>> 










Local>> 


DEFINE 


SITE 


dallas AUTHENTICATION LOCAL "xyz" 


Local>> 


DEFINE 


IP ROUTING ENABLED 


Local>> 










Local>> 


INITIALIZE SERVER DELAY 0 



3.8.2 LAN to LAN - Bidirectional (Symmetric) Calling 

An unit in a remote office in Dallas must be able to call an unit at the company headquarters in Seattle. This 
LAN to LAN connection must meet the following criteria: 

♦ The unit in Seattle must also be able to call Dallas. 

♦ IP traffic must be transferred between Seattle and Dallas. 

♦ IP users in Dallas must connect to IP network 192.0. 1 .0 in Seattle. IP users in Seattle must connect to 
IP network 192.0.2.0 in Dallas. 
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♦ Both remote access servers are to be dedicated to this purpose. No other applications are supported. 

♦ After 60 seconds of idle time, the connection between Dallas and Seattle should be timed out. 

♦ The unit in Seattle expects the username dallas and the password xyz. The unit in Dallas expects the 
username Seattle and the password abc. 

This unit must be configured for incoming and outgoing LAN to LAN connections: 

Figure 3-26: Dallas unit Configuration 



Local» 
Local» 
Local» 
Local>> 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local>> 
Local» 
Local» 
Local» 
Local» 



DEFINE PORT 2 ACCESS DYNAMIC 

DEFINE PORT 2 PPP DEDICATED 

DEFINE PORT 2 MODEM ENABLED 
LIST MODEM 

DEFINE PORT 2 MODEM TYPE 1 

DEFINE PORT 2 MODEM SPEAKER DISABLED 

DEFINE PORT 2 AUTHENTICATE ENABLED 



DEFINE 


SITE 


SEATTLE 


AUTHENTICATION 


USERNAME "dallas 


DEFINE 


SITE 


SEATTLE 


AUTHENTICATION 


LOCAL "abc" 


DEFINE 


SITE 


SEATTLE 


AUTHENTICATION 


REMOTE "xyz" 


DEFINE 


SITE 


SEATTLE 


AUTHENTICATION 


CHAP 


DEFINE 


SITE 


SEATTLE 


IDLE 60 




DEFINE 


SITE 


SEATTLE 


PORT 2 




DEFINE 


SITE 


SEATTLE 


TELEPHONE 2065551234 



DEFINE IP ROUTE 192.0.1.0 SITE SEATTLE 2 
DEFINE IP ROUTING ENABLED 

INITIALIZE SERVER DELAY 0 



The Initialize Server Delay 0 command will reboot the unit; when the unit has rebooted, changes made 
with the Define commands will be in effect. 



3-20 



Basic Remote Networking 



Examples 



The Seattle unit will have different authentication, telephone, site and router information than the unit in 
Dallas. In all other respects, it is configured identically to the Dallas unit. 

Figure 3-27: Seattle unit Configuration 



Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 



DEFINE PORT 2 ACCESS DYNAMIC 

DEFINE PORT 2 PPP DEDICATED 

DEFINE PORT 2 MODEM ENABLED 
LIST MODEM 

DEFINE PORT 2 MODEM TYPE 1 

DEFINE PORT 2 SPEAKER DISABLED 

DEFINE SITE DALLAS AUTHENTICATION USERNAME "Seattle" 

DEFINE SITE DALLAS AUTHENTICATION LOCAL "xyz" 

DEFINE SITE DALLAS AUTHENTICATION REMOTE "abc" 

DEFINE SITE DALLAS AUTHENTICATION CHAP 

DEFINE SITE DALLAS IDLE 60 

DEFINE SITE DALLAS TELEPHONE 2145556789 

DEFINE IP ROUTE 192.0.2.0 SITE SEATTLE 2 
DEFINE IP ROUTING ENABLED 

INITIALIZE DELAY 0 



3.8.3 Remote Node 

This example sets up ports 2 and 3 to support IP remote node users via PPP. All users will use temporary 
copies of the default site and may authenticate with CHAP, PAP, or chat scripts. Modems on port 2 and 3 
will be automatically configured. 

IP users will be forced to use either IP address 192.0.1.7 or 192.0.1.8. One IP user wwwserver, must have 
the same address (192.0.2.6) each time it logs in. 



Configure the port. 



Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 
Local» 



Figure 3-28: Configuring the Port 

DEFINE PORT 2-3 PPPDETECT ENABLED 

DEFINE PORT 2-3 PPP ENABLED 

DEFINE PORT 2-3 PPP CHAP REMOTE 

DEFINE PORT 2-3 PPP PAP REMOTE 

DEFINE PORT 2-3 AUTHENTICATE ENABLED 

DEFINE PORT 2-3 MODEM ENABLED 
LIST MODEM 

DEFINE PORT 2 MODEM TYPE 1 

DEFINE PORT 3 MODEM TYPE 2 



2 Configure IP to allocate IP addresses to incoming users. 

Figure 3-29: Configuring IP 



Local» DEFINE IP IPADDRESS 192.0.1.6 

Local» DEFINE IP ETHERNET POOL 192.0.1.7 192.0.1. 

Local» DEFINE IP ETHERNET PROXY-ARP ENABLED 
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3 Configure a range of IP Addresses for users of the default site. 

Figure 3-30: Configuring Default Site 



Local» DEFINE SITE DEFAULT IP REMOTEADDRESS 192.0.1.7 192.0.1.8 



4 Configure a static IP address site. 

Figure 3-31 : Configuring Static IP Address 



Local» DEFINE SITE wwwserver REMOTE IP 192.0.2.6 

Local» DEFINE SITE wwwserver AUTHENTICATION LOCAL "monkey" 
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This chapter discusses how to "fine-tune" remote networking and related features on your unit. Performance 
and cost issues are covered, as well as how to manage bandwidth on demand, use direct connections and 
leased lines, and restrict access to the unit. 

4.1 Security 

4.1 .1 Authentication 

Authentication may be used to restrict users to a particular configuration when they log into a port. When a 
username is entered in the local authentication database, a series of commands may be associated with that 
user. These commands (including starting a site) will be executed when the user is successfully 
authenticated. 

To execute commands when a user logs into the unit, complete the following steps: 

1 Ensure that the authentication databases have been configured using the Set/Define Authentication 

command on page -137. 

2 Associate commands with a username by entering the Set/Define Authentication User command. 
When the user is successfully authenticated, these commands will be executed. 

Figure 4-1 : Restricting a User to a Particular Site 

Local» DEFINE AUTHENTICATION USER "bob" COMMAND "set ppp dialin_users" 



In the example above, when user bob logs into the unit, he will automatically run site dialin_users. 
Authentication must then be enabled on each port that will be used for incoming logins. 

Note: See Chapter 10, Security, for a comprehensive discussion of authentication. 

4.1.2 Filter Lists 

Filters enable the unit to restrict packet traffic. Each filter specifies a particular rule, for example, only IP 
packets are permitted passage. Packets that pass the filter are forwarded; all others are discarded. 

Filters are organized into ordered filter lists, referenced by name. For example, a filter named firewall may 
permit forwarding of packets that match a particular IP rule, but deny passage to packets that match a 
generic rule. 
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Filter lists are associated with sites. Table 4-1 describes the available filter lists and how they are used. 



Table 4-1 : Types of Filter Lists 



Type of Filter List 


Purpose 


Idle 


Determines whether the site will remain active. Packets that 
pass the filter will reset the site's idle timer, preventing the 
site from being timed out. 


Incoming 


Determines whether to forward incoming packets received 
from a remote site. Packets that pass the filter will be 
forwarded. 


Outgoing 


Determines whether to forward outgoing packets to a 
remote site. Packets that pass the filter will be forwarded. 


Startup 


Determines whether a site will initiate a connection to a 
remote site. When a packet passes the filter, the unit will 
initiate an outgoing connection. (If an outgoing connection 
currently exists, this filter will be ignored.) 



When a site with an associated filter list receives a packet, the unit compares the packet against each filter 
starting with the first filter on the list. If the packet matches any of the filters, the packet is forwarded or 
discarded according to the filter's specification. If the packet does not match any of the filters in the list, itis 
not forwarded. 

The order filters appear in a list is very important. For example, consider the following filter list. 

1 Allow any packet 

2 Deny all IP traffic matching a particular rule 

When this filter list is associated with a site, all packets are forwarded. Packets are compared to filters in 
the order in which the filters appear in the list. Because all packets match the specification of "any packets," 
all packets are forwarded without being compared to the second filter. 

Switching the order of the filters has a significant effect. Examine the filter list below, where the order of 
the above two filters is reversed. 

1 Deny all IP traffic matching a particular rule 

2 Allow any packet 

When this filter list is used, all IP traffic matching the specified rule is discarded. Therefore, some IP packets 
are discarded without being compared to the second filter. 

To prevent all packet traffic from the IP protocol, filter lists do not need to be used. Use the Define Site IP 
Disabled command. 

Figure 4-2: Preventing IP Packet Traff 

I Local» DEFINE SITE irvine IP DISABLED 
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Configuring filter lists involves two primary steps: creating the filter list, and associating the list with a 
particular site. See Setting Up a Filter List on page 10-23 for complete configuration instructions. 

4.1 .3 Restricting IP Addresses 

To enhance security, incoming callers can be restricted to a specific IP address or range of addresses. This 
restriction may be defined in each site. See IP Addresses on page 5-1 for more information. 

4.1 .4 Restricting Incoming Logins to a Particular Site 

If the username has been configured to run a series of command when it's authenticated (one of these 
commands may be starting a particular site), these commands will be executed. Executing a particular site 
automatically when a user logs in can force a user to use a specific configuration; see Forcing Execution of 
Commands on page 10-10. 

4.1 .5 Restricting Authenticated Logins by a Single 
User 

The unit can be configured to prevent a single PPP or Local mode user from making multiple authenticated 
connections to the unit. If two users attempt to log into authenticated ports with the same username, only 
the first user will be allowed to connect. See Restricting Multiple Authenticated Logins on page 10-19 for 
details. 

4.2 IP Configuration 

4.2.1 RIP 

RIP (Routing Information Protocol) packets enable the unit to broadcast its known routes and receive 
routing information from other routers. Each site may configure RIP in a number of ways. 

4.2.1.1 Disabling RIP 

By default, unit sites will both listen for and send RIP packets. However, in some situations, RIP should be 
disabled. For example, if the routers on both sides of a link have been pre-configured with all necessary 
routing information (with static routes) 

Figure 4-3: Disabling RIP 

Local» DEFINE SITE irvine IP RIP DISABLED 



If you want the unit to either listen for or send RIP packets, but not both, you can selectively disable one or 
the other. The following example turns off listening for RIP packets. 

Figure 4-4: Disabling RIP Listen 

I Local» DEFINE SITE irvine IP RIP LISTEN DISABLED 
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4.2.1.2 Interval Between RIP Updates 

When RIP sending is enabled, the unit will send RIP updates every thirty seconds by default. This number 
can be adjusted; for example, the update interval may be raised so that RIP updates are sent every minute 
to reduce network traffic. 

To configure the update interval, use the Define Site IP RIP Update command. The interval must be 
specified in seconds; intervals between 10 and 255 seconds are permitted. 

Figure 4-5: Adjusting RIP Update Intervals 

I Local» DEFINE SITE irvine IP UPDATE 60 



4.2.1.3 Configuring the Metric 

Each RIP packet lists known routes and the "cost" associated with each of these routes. Each unit site may 
configure the cost of its interface; all routes learned through the site will be associated with that cost. 

When a router determines a route to a particular destination, a route with a lower cost is more likely to be 
included in the route. Configuring a higher RIP cost on a particular site makes the interface a less desirable 
route to other destinations. 

To set the site's IP RIP metric, use the Define Site IP RIP Metric command. 

Figure 4-6: Configuring a Site's RIP Metric 

I Local» DEFINE SITE irvine IP RIP METRIC 4 



In the example above, all routes learned through site irvine will be associated with cost 4. The higher the 
cost number, the less desirable the route. 

Note: If IP RIP sending is disabled on a site, the Update and Metric values will be 
ignored. 

4.2.2 Header Compression 

Each site may enable or disable compression of IP header information. When a site is created, IP header 
compression will be enabled by default. 

To disable IP header compression, use the following command. 

Figure 4-7: Disabling IP Header Compression 

Local» DEFINE SITE irvine IP COMPRESS DISABLED 



Note: For complete IP configuration instructions, see Chapter 5, IP. 

4.2.3 NetBIOS Nameserver (NBNS) 

Windows 95 users can run NetBIOS over IP and use a secondary NetBIOS nameserver (NBNS) for name 
resolution. This allows Windows 95 clients to use the Network Neighborhood browser without any 
additional configuration on the Windows 95 host. For more information, see Using the NetBIOS 
Nameserver (NBNS) on page 5-17. 



4-4 



Additional Remote Networking 



Chat Scripts 



4.3 Chat Scripts 

Chat scripts enable the unit to communicate with virtually any type of equipment at the remote site. They 
are typically configured to send a string of characters, then wait to receive a particular string in return. 

For example, the unit might log into a remote site that has a login program. Using a chat script defined for 
the site, the unit could send carriage returns until the login prompt is returned, send a username, wait for the 
password prompt, and send a password. 

4.3.1 Creating a Chat Script 

Chat scripts are defined one line at a time following a given syntax. A chat script to be used for outgoing 
connections from a particular site can be created with the Define Site Chat commands. These commands 
enable you to do the following: send a particular string, replace, add, or delete existing lines in the script, 
expect a particular string, and configure timeout periods. 

For example, to configure the script to send or expect strings, use the following command. 

Figure 4-8: Sending and Expecting Strings 

Local» DEFINE SITE irvine CHAT SEND "hello?" 
Local» DEFINE SITE irvine CHAT EXPECT "login:" 



Note: Chat script expect strings are case-sensitive. 

4.3.2 Editing and Adding Entries 

To replace, delete, or insert entries, specify the line numbers. Figure 4-9 displays a few examples. 

Figure 4-9: Editing Script Entries 

Local» DEFINE SITE irvine CHAT REPLACE 1 EXPECT "login:" 
Local» DEFINE SITE irvine CHAT DELETE 4 

Local» DEFINE SITE irvine CHAT AFTER 3 EXPECT "login:" 
Local» DEFINE SITE irvine CHAT BEFORE 3 EXPECT "login:" 



To determine the number of a particular line, display the script using the List Site Chat command. All chat 
script entries for that site will be displayed. 

4.3.3 Configuring Timeouts 

The Define Site Chat Timeout command enables you to configure the timeout after an Expect command, 
or a delay before a Send command is executed. Figure 4-10 displays some examples. 

Figure 4-10: Setting Timeouts and Delays 

Local» DEFINE SITE irvine CHAT TIMEOUT 2 EXPECT "login:" 
Local» DEFINE SITE irvine CHAT TIMEOUT 4 SEND "hello?" 
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The first command in Figure 4-10 will cause the unit to wait two seconds for a response from the remote 
host after sending an Expect command. If no response is received after two seconds, the chat script will fail 
or return to the previous fail marker. The second command will send the "hello?" string after a 4-second 
delay. 

The default Send timeout (delay before a Send command is executed) is 0; in other words, strings will be 
sent right away. The default timeout for Expect commands is 30 seconds. 

4.3.4 Setting Markers 

The Fail parameter sets a marker in a chat script for a Timeout command. When the Timeout associated 
with an Expect command expires (the expected string is not received within the specified number of 
seconds), the unit will return to the last command containing the Fail parameter. The script will be executed 
from that point, continuously looping if the Expect command repeatedly fails. 

Figure 4-1 1 : Expect/Fail Scripts 



Local» DEFINE SITE irvine CHAT TIMEOUT 4 FAIL 
Local» DEFINE SITE irvine CHAT SEND "\r" 

Local» DEFINE SITE irvine CHAT TIMEOUT 2 EXPECT "login:" 



The script in Figure 4-11 will send a carriage return, then wait for two seconds while a "login:" string is 
expected. If the "login:" string is not received within two seconds, the chat script will loop back to the Fail 
command and continue running from that point. Each time the Expect command fails (the "login:" string is 
not received within two seconds), the Fail counter is decremented one value. When the Expect command 
has failed four times (the "login:" string is never received), the looping will stop and the chat script will exit. 

4.4 Bandwidth On Demand 

The following sections explain bandwidth on demand concepts for LAN to LAN connections and outline 
the basic configuration needed to utilize unit bandwidth on demand functionality. For more detailed 
instructions on setting up both sides of a bandwidth on demand connection, refer to Multilink PPP on page 
6-4. 

Note: Remote Node sites have a fixed bandwidth. The unit cannot add or remote 

bandwidth for Remote Node connections. This section discusses bandwidth for 
LAN to LAN connections only. 

By default, sites will only attempt to bring up one port to a remote site in a LAN to LAN connection. If the 
amount of incoming data on the Ethernet exceeds the current bandwidth of the serial port (and the unit is 
configured not to dial up additional bandwidth), congestion occurs and the extra data is discarded. 

To avoid congestion, the unit enables you to customize a site's useof bandwidth. As it is needed, additional 
bandwidth will be added. The unit will assign more ports to the site until it has enough bandwidth or reaches 
a certain threshold. When it is no longer needed, the extra bandwidth will be removed. 

4.4.1 How Bandwidth is Controlled 

A site's use of bandwidth is controlled by the following factors: 
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♦ The initial and maximum bandwidth allotted to the site. These are static values. 

♦ The threshold at which additional bandwidth should be added. This threshold is a percentage of the 
currently-dialed bandwidth. 

♦ The threshold at which unnecessary (unused) bandwidth should be removed. This threshold is a 
percentage of the currently-dialed bandwidth. 

♦ The period of time during which the current bandwidth usage is measured. 

♦ The delay between bandwidth adjustments. 

By default, additional bandwidth will not be added to a connection. In order for a connection to have flexible 
bandwidth (bandwidth that is added and removed as necessary), the site's maximum bandwidth must be 
configured, as well as the thresholds at which bandwidth is added and removed. 

Note: The initial bandwidth allotted to the site may also be configured. This is optional. 

The threshold at which bandwidth is added and removed should have some room between them to regulate 
how often bandwidth is added and removed. It is recommended to set the "add bandwidth" threshold to a 
percentage between 80 and 100 percent; the "remove bandwidth" threshold should generally be set to less 
than 50%. If the threshold values are set too close to one another, the connections will thrash; in other 
words, bandwidth will be continuously added and dropped. 

The order in which ports are selected to be added and removed is controlled by a priority setting; when unit 
bandwidth needs change, ports with the highest priority are the first to be added and the last to be removed. 

Bandwidth is controlled by the host that initiates the call. If the unit initiates a call, it controls the bandwidth 
for each site. If the unit receives an incoming call, the bandwidth is controlled by the remote host. 

The unit will always use at least one port for a connection, even if the traffic is below the "remove 
bandwidth" threshold. If this is not desired behavior, the last connection can be controlled by the idle timer. 

Note: To configure the idle timer, see Set/Define Server Inactivity on page -104. 

4.4.2 Disadvantages of Additional Bandwidth 

Increasing bandwidth by bringing up additional links has two disadvantages: increased cost and reduced 
resources. Phone rates will go up as more phone lines are used, and fewer ports will be available for other 
purposes. Assess your needs carefully before increasing bandwidth. 

4.4.3 Configuring Bandwidth Allocated to Sites 

To configure bandwidth, complete the configurations in the following sections. 

4.4.3.1 Estimate Each Port's Bandwidth 

Before sites can be configured to use particular bandwidths, the bandwidth of each unit port must be 
estimated in bytes per second. This estimate should be made based upon two factors: the amount of 
compression expected for typical data on this site, and the fastest data transfer rate that the local and remote 
modems can support. 
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The unit will truncate the bandwidth setting to the nearest 100 bytes per second. For example, a setting of 
5790 will be truncated to 5700. 

Consider the following example. Site irvine may use unit port 2 and port 3 (if needed ) for connections. A 
V.34 modem with a baud rate of 28800 bits per second is attached to each port. The remote modems are 
also V.34 modems with the same baud rate. Compression is enabled and a 2: 1 compression rate is expected, 
which will increase the data transfer between the modems to 57600 bits per second. 

The bandwidth for ports 2 and 3 should be estimated as follows: 



Figure 4-12: Estimating a Port's Bandwidth 



Local>> 


DEFINE 


SITE 


irvine PORT 


2 


BANDWIDTH 


5800 


Local>> 


DEFINE 


SITE 


irvine PORT 


3 


BANDWIDTH 


5800 



Note: If you are using 8 bits, no parity, and 1 stop bit, the modem will actually transmit 
ten bits for each byte. 

If the modems attached to a series of unit ports are going to be calling similar remote modems, these ports 
should be set to the same bandwidth estimates. In addition, if several ports have compression enabled, you 
should assume that the compression rate on each port will be the same (for example, a 2: 1 compression rate). 
Avoid using small variations in bandwidth estimates. 

It is important to correctly estimate bandwidth. The unit will attempt to reduce the total number of ports in 
use by using higher bandwidth ports (of the same priority) first until the bandwidth goal is met. 

4.4.3.2 Assign Port Priority Numbers 

Priority numbers enable a site to determine which of its assigned ports it should use first for outgoing calls. 
The highest priority ports, those with higher priority numbers, will be used first. As additional bandwidth 
is needed, lower priority ports will be used in descending order of priority. 

To assign priority numbers to a site's ports, use the following command: 

Figure 4-13: Assigning Port Priority Numbers 

I Local» DEFINE SITE irvine PORT 2 PRIORITY 2 



Note: By defaults, all ports are assigned a priority of 1. 

4.4.3.3 Specify the Bandwidth Measurement Period 

A period must be specified (in seconds) during which the unit will measure a site's use of bandwidth. The 
measurement taken during this period will be compared to the Add and Remove values (see below) to 
determine if bandwidth should be added or removed. Short periods may lead to "thrashing." 

Figure 4-14: Specifying the Bandwidth Measurement Period 

I Local» DEFINE SITE irvine BANDWIDTH PERIOD 60 
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4.4.3.4 Specify When Bandwidth is Added or Removed 

Determine when bandwidth will be added or removed from a site. This is specified in terms of a percentage; 
when a site's bandwidth use on its currently-dialed out ports reaches or falls below this percentage, 
bandwidth will be added or removed as appropriate. 

Figure 4-15: Determining When Bandwidth Will Be Added/Removed 

Local» DEFINE SITE irvine BANDWIDTH ADD 90 
Local» DEFINE SITE irvine BANDWIDTH REMOVE 40 



4.4.3.5 Configure the Delay Between Bandwidth Adjustments 

Determine the minimum period of time between one adjustment in bandwidth (addition or removal) and a 
following adjustment. Configure this delay using the Define Site Bandwidth Holddown command; by 
default, this timer is set to 60 seconds. 

Figure 4-16: Configuring the Holddown Timer 

Local» DEFINE SITE irvine BANDWIDTH HOLDDOWN 30 



The holddown timer helps to limit the "thrasing" caused by rapid adjustments in bandwidth. When the 
holddown timer is used in conjunction with a short bandwidth measurement period, the site will respond 
quickly to initial changes in packet traffic without thrashing. 

In the example above, the holddown timer is set to 30 seconds. When bandwidth is added to site irvine, 
additional bandwidth cannot be added until 30 seconds have passed. Bandwidth changes in the opposite 
direction (addition or subtraction) require a delay of double the holddown timer; for example, when 
bandwidth is removed from irvine, it cannot be added for 60 seconds. 

4.4.4 Displaying Current Bandwidth Settings 

To display a site's current bandwidth settings, use the List Site Bandwidth command. 

Figure 4-17: Current Bandwidth Settings 

Local» LIST SITE irvine BANDWIDTH 

SMC* Version 1 . l/101Name : SMC_0C0021 

Hardware Addr : 00-80-a3-0c-00-21 Uptimerl Day 02:56 

Site Name: irvine Period: 60 

Add @ Utilization :DisabledRemove SDisabled 

Maximum Bandwidth : lOOInitial Bandwidth : 100 

Multilink:DisabledHold Down Timer: 01: 00 

Input Utilization : 0%Output Utilization : 0% 

Next Adjust Up:Any TimeNext Adjust Down:Any Time 

Target Bandwidth : OWaiting Bandwidth: 0 

On-line Bandwidth :0 

Average Period — Input Output Dropped - 

(in seconds) Bytes/SeoondBytes/SeoondBytes/Second 
Size Total: 4000 
Size Total: 60000 



To display how the unit is currently managing a particular site's use of bandwidth, use the Show Site 
Bandwidth command. 
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4.4.5 Restoring Default Bandwidth Settings 

To return a site's bandwidth parameters to their default values, use the following command: 

Figure 4-18: Restoring Default Bandwidth Values 

Local» DEFINE SITE irvine BANDWIDTH DEFAULT 



4.4.6 Monitoring Bandwidth Utilization 

The Show/Monitor Site command is particularly useful when allotting bandwidth to a site. Periodically 
monitoring a site's use of bandwidth will enable you to determine if the bandwidth configuration is 
appropriate and to make adjustments when necessary. 

Figure 4-19: Displaying Bandiwdth Utilization 

| Local» SHOW SITE irvine BANDWIDTH 

Note: For information on port and site states, see Table 3-3 on page 3-17. 

4.5 Increasing Performance 

4.5.1 Filtering Unwanted Data 

To reduce the use of bandwidth for unwanted packet traffic, each site may configure an incoming and an 
outgoing filter list. Packets will be compared to these filter lists as they are received or generated. If they do 
not pass the filter, they will be discarded. See Filter Lists on page 4-1 for more details. 

4.5.2 Compressing Data and Correcting Errors 

The amount of data that can be transmitted at once (throughput) can be increased by using data compression. 
Data compression enables a device such as a modem to transfer a larger amount of data at once. When 
compression is used, uncompressed data arrives on the modem's serial port and the modem compresses the 
data before sending it over the phone line. 

The disadvantage of compression is increased latency, the time required to transfer data from one place to 
another. Compression increases latency due to the time required to compress the data before it is sent. Error 
correction can also increase latency, as the data must be checked for integrity after it is received. 

In situations where the delay is undesirable (for example, during interactive use over a long distance line), 
compression and error correction should not be used. These options are enabled by default on the unit; to 
disable them, use the following commands: 



Figure 4-20: Disabling Error Correction and Compression 



Local>> 


DEFINE 


PORT 


2 


MODEM 


ERRORCORRECTION DISABLED 


Local>> 


DEFINE 


PORT 


2 


MODEM 


COMPRESSION DISABLED 
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Note: 



For a complete discussion of compression and error correction, see Chapter 8, 
Modems. 



4.5.3 Adding Bandwidth 



Like compression, adding bandwidth can increase throughput. Sites can be configured to automatically 
bring up additional connections when more bandwidth is needed, for example, when the amount of data to 
be transmitted exceeds the bandwidth of the port. 

How "aggressively" a site will add bandwidth can be controlled with two factors: the period during which 
the use of bandwidth is measured, and the percentage at which bandwidth is added. 

For example, to increase bandwidth for small or periodic increases in traffic, reduce the measurement time 
period. A similar effect could be obtained by reducing the percentage utilization at which bandwidth is 
increased. To require a sustained increase in traffic to increase bandwidth, the measurement time period and 
the utilization percentage should be increased. See Bandwidth On Demand on page 4-6 for more 
information. 



Each site may be configured to compress the header information on IP (TCP only) packets before they are 
forwarded. 

When IP headers are compressed, the unit replaces the packet's header with a slot number. This number is 
assigned dynamically, and denotes that the packet originated from a particular connection (for example, a 
Telnet session). When the destination receives the packet, it will decompress the header, replacing the 
representative slot number with the complete header information. 

Header compression is most useful for interactive traffic such as Telnet sessions. Compressing the header 
information for interactive traffic decreases the delay before data is transferred. In other words, if a key is 
pressed during a Telnet session, the time required to echo that character back to the user's terminal will be 
reduced. 

To use header compression, configure the number of slots (connections) supported on the site. This number 
should be slightly higher than the anticipated number of connections; in the event that more connections are 
made than expected, additional slots will be available for those connections. To configure IP header 
compression, see Header Compression on page 4-11. 



4.5.4 Header Compression 



Note: 



The unit uses Van Jacobson TCP compression, discussed in RFC 1144. 
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4.6 Reducing Cost 

4.6.1 Inactivity Logouts 

The unit can be configured to log out a particular site after a certain period of inactivity (referred to as idle 
time). To configure an inactivity timeout, the site must be allocated a maximum idle time in seconds using 
the Define Site Idle command. 

Figure 4-21 : Setting Site Idle Time 

Local» DEFINE SITE irvine IDLE 600 



The site may then be associated with an idle time filter list. When a site receives packets, it compares them 
to this list. Packets that "pass" the filter list will reset the idle timer to zero. If no packets pass the list or 
traffic is not received within the idle time, the site will be timed out. If an idle time filter is not used, any 
packet traffic sent by the site will reset the idle timer. 

Note: Incoming packet traffic does not reset the idle timer if there is no idle time filter. 

Idle time filter lists enable the unit to keep a site active for specific types of traffic, disconnecting the site if 
this traffic isn't sent. For example, imagine that a particular site was intended for interactive traffic. Using 
an idle filter list, the site could ensure that other traffic (for example, email) wouldn't keep the connection 
active. 

Note: To configure an idle time filter, see Filter Lists on page 4-1. 

4.6.2 Restricting Packets with Startup Filters 

To prevent unwanted packets from initiating a connection, each site may be associate with a startup filter 
list. Packets destined for a remote site are compared to this list; if they do not pass the filter, they are 
discarded. 

Startup filter lists are only intended to prevent unwanted connections. If a connection is already in place, 
the list is ignored. To configure a startup filter, see Filter Lists on page 4-1. 

4.6.3 Reducing the Number of Ports Used 

When additional links are brought up to increase bandwidth, phone charges will increase. Reducing the 
number of ports or reducing the site's maximum bandwidth can reduce total cost; see Purge Site on page 
-133 and Define Site Bandwidth on page -119 for details. 

4.6.4 Using Higher Speed Modems 

The time used to transfer data can be reduced by using the highest speed modems available. To ensure that 
high speed modems are used before low speed modems, priority numbers may be assigned to each site's 
ports. If high speed modems are attached to ports with high priority numbers, they will be dialed before 
other modems. 
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4.6.5 Restriciting Connections to Particular Times 

Sites can be configured to permit outgoing connections only within particular time ranges on particular 
days. For example, outgoing connections can be restricted to Monday through Friday, between 9 a.m. and 
5 p.m. 

4.6.5.1 Determining if Site Restrictions are Appropriate 

Sites don't need to be configured to restrict connections; applciations can be restricted to run only at 
particular times. Before configuring a site, it is important to consider whether it's appropriate for a remote 
application or an unit site to control the access restriction. 

4.6.5.2 Setting Up Site Restrictions 

To configure a time range, use the Define Site Time Add command. The time range may be within one day, 
or may span from one day to another day. (If a second day isn't specified, the time period is assumed to take 
place entirely on the first day specified.) The beginning and end times of the range must be specified in 24- 
hour format. Some examples are displayed below. 



Figure 4-22: Adding Time Ranges 



Local>> 


DEFINE 


SITE 


irvine 


TIME 


ADD 


MON S 


3:00 17:00 




Local>> 


DEFINE 


SITE 


irvine 


TIME 


ADD 


TUES 


23:00 WED 


6:00 


Local>> 


DEFINE 


SITE 


irvine 


TIME 


ADD 


WED i 


3:00 THURS 


8:00 



Note: Up to ten time ranges may be specified. 

Next, specify whether connections will be permitted or prevented during these times using the Define Site 
Time Default command. Enabled permits outgoing connections, except during the time ranges stated. 
Disabled prevents outgoing connections, except during the time ranges stated. 

Figure 4-23: Enabling Connections During Time Ranges 

I Local» DEFINE SITE irvine TIME DEFAULT ENABLED 



Configurable time ranges are based on a Sunday-to-Saturday week. To configure access that spans weekend 
hours, see Controlling Access During Weekend Hours on page 4-18. 

4.6.5.3 Getting Timesetting Information 

In order to restrict packet traffic during the specified times, the unit must get accurate time information from 
one of two sources: an IP timeserver or from the unit' internal clock. 

To configure an IP timeserver, see Set/Define IP Timeserver on page -28. To set the unit internal clock, 
see Set/Define Server Clock on page -103. To configure the unit timezone, see Set/Define Server 
Timezone on page -112. 



4-13 



Controlling Frequency of Calls 



Additional Remote Networking 



To display the site restrictions you've configured, use the List Site Time command. 

Figure 4-24: Displaying Site Restrictions 



Local» LIST SITE irvine TIME 

SMC Version Bl . l/102int (951128) Name: DOC_SERVER 
Hardware Addr: 00-80-a3-0b-00-5b uptime: 3 Days 12:07 
20:42:54 

Access default: Enabled 



01) Mon 08 

02) Tue 23 

03) Wed 08 



00 - Mon 17:00 Disabled 
00 - Wed 06:00 Disabled 
00 - Thu 08:00 Disabled 



Success Timeout: 0:01 
Failure Timeout: 0:30 



4.6.6 Increasing Requirements for Adding Additional 
Bandwidth 

The unit will periodically measure how much bandwidth a particular port is using. The period of time during 
which this measurement is taken may be configured differently for each site. When the measurement period 
is short, a temporary increase in network traffic may cause the site to bring up additional connections to 
increase bandwidth, increasing cost. If a site's bandwidth utilization is measured (averaged) over a longer 
period of time, a temporary increase in network traffic will have less impact on whether or not additional 
bandwidth is added. 

Another way to reduce cost is to increase the percentage utilization required to add additional connections. 
If a site is permitted to use up to 80% of the total currently-dialed bandwidth on a particular port (rather 
than, for example, 25%), the site will be less likely to require additional connections to increase bandwidth. 



4.7 Controlling Frequency of Calls 

The success and failure timers can be used to control how aggressive the unit will be when attempting 
connections. Two commands control this behavior. 

♦ Define Site Time Success sets the time laps between attempts to connect to a remote site after a 
successful connection has been made. 

♦ Define Site Time Failure sets the time laps between attempts to connect to a remote site when a 
connection attempt fails. 

If the last connection attempt succeeded and the success timer is set to a high value (for example, 20 
minutes), the unit will wait for a longer period of time before attempting a new connection. If the unit was 
not able to connect for some reason, setting the failure timer to a low value (for example, 5 seconds) will 
cause the unit to retry the connection at short inervals until it succeeds. 

In Figure 4-24, the unit is configured to allow a new connection attempt almost immediately upon 
completion of a successful connection. If the last attempt to connect to the site failed, the unit will wait 30 
seconds before attempting another connection. It will continue to retry the connection every 30 seconds 
until it succeeds. 
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4.8 Using the Unit Without Dialup Modems 



The unit may be configured to allow Remote Node and LAN to LAN functionality without using modems; 
dial-on demand features will be ignored. 

4.8.1 Situations Where Dialup Modems Are Not Used 

There are four primary situations in which the unit may be used without modems: 
Direct connections 

Two unit units are linked with a serial cable. 

Statistical multiplexors 

Multiplexors (stat-mux) allow multiple serial lines to run over a single leased 
line. The stat-mux must support asynchronous serial communication. 

Synchronous leased line 

Lines are leased from the telephone company and dedicated to synchronous 

serial communication between two fixed locations. 

Analog leased lines 

Analog lines are ordinary telephone lines leased from the telephone company 
and used in conjunction with standard modems. The modems must have leased 
line capabilities. 

4.8.1.1 Direct Connections 

Two buildings may be linked with a serial cable. Two unit units may use the serial cable to connect two 
networks together. 

4.8.1.2 Statistical Multiplexors 

Two locations may have statistical multiplexors (commonly called stat-muxes) in place. These stat-muxes 
may be used to connect to unit units. A series of commands may have to be sent to the stat-mux to connect 
to the remoe unit; chat scripts make sending these commands easy and relatively error-free. 

Note: See Chat Scripts on page 4-5 for more information. 

The unit assumes an 8-bit data path. If you are using SLIP, all characters must be sent and received 
unchanged by the intervening communications equipment. PPP has a feature called ACCM which causes 
the unit to avoid sending user- specified control characters. If the equipment connecting the unit cannot send 
certain control characters, configure PPP and ACCM on the unit port. 

Note: ACCM is discussed in detail in Character Escaping on page 6-1 

4.8.1.3 Synchronous Leased Lines 

The unit supports asynchronous serial connections. Many leased lines are synchronous. Devices which 
convert between synchronous and asynchronous serial signals exist, but they may result in some 
performance loss. The current unit units are not always the best solution for synchronous leased line 
applications. 
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4.8.1.4 Analog Leased Lines 

To use an unit with analog leased lines, the modems on each end of the connection must support leased line 
mode and should use asynchronous serial communication. 

Note: See your modem's documentation to configure the modem for leased line mode. 

4.8.2 Configuring the Unit for Modemless Connections 

The unit should initiate the connection at boot time and should not time out the connection. 
The following configuration is recommended. 

♦ Idle timeouts are disabled. 

♦ RTS/CTS flow control is used between the unit and the communications equipment. 

♦ If RTS/CTS flow control is not supported, XON/XOFF flow control may be used in conjunction with 
PPP. If flow control cannot be used, use PPP and monitor the port for checksum errors which may be 
the result of disabled flow control. 

♦ The port is dedicated to PPP or SLIP. 

♦ PPP or SLIP starts automatically. 

♦ The port is configured to support incoming and outgoing connections. 

♦ Modem control is disabled 

In the following examples (both SLIP and PPP), the unit has an IP address of 192.0.1.1, and must connect 
to another router with IP address 192.99.99.99. 

4.8.2.1 PPP 

Figure 4-25 displays the command required if PPP is used. Both sides of the leased line should be 
configured using these commands. 



Figure 4-25: unit Configuration Without Modems: PPP 



Local>> 


DEFINE 


IP IPADDRESS 192.0.1.1 


Local>> 


DEFINE 


PORT 2 ACCESS DYNAMIC 


Local>> 


DEFINE 


PORT 2 SPEED 19200 


Local>> 


DEFINE 


PORT 2 FLOW CONTROL CTS 


Local>> 


DEFINE 


PORT 2 AUTOSTART ENABLED 


Local>> 


DEFINE 


SITE port2 IDLE 0 



If static routing is to be used on the line, routes pointing to the site port2 will be required. 

Figure 4-26: Configuring Static Routing 



Local» DEFINE SITE port2 IP RIP DISABLED 

Local» DEFINE SITE IP ROUTE 192.99.99.0 SITE port2 2 
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4.8.2.2 SLIP 

Figure 4-27 displays the commands required if SLIP is used. Both sides of the leased line should be 
configured using these commands. 



Figure 4-27: unit Configuration Without Modems: SLIP 



Local>> 


DEFINE 


IP IPADDRESS 192.0.1.1 


Local>> 


DEFINE 


PORT 2 ACCESS DYNAMIC 


Local>> 


DEFINE 


PORT 2 SPEED 19200 


Local>> 


DEFINE 


PORT 2 FLOW CONTROL CTS 


Local>> 


DEFINE 


PORT 2 SLIP DEDICATED 


Local>> 


DEFINE 


PORT 2 AUTOSTART ENABLED 


Local>> 


DEFINE 


SITE port2 PROTOCOL SLIP 


Local>> 


DEFINE 


SITE port2 IDLE 0 


Local>> 


DEFINE 


SITE port2 IP REMOTEADDRESS 192.99.99.99 



If static routing is to be used on the line, routes pointing to the site port2 will be required. 

Figure 4-28: Configuring Static Routing 

I Local» DEFINE SITE port2 IP RIP DISABLED 
Local» DEFINE IP ROUTE 192.99.99.0 SITE port2 2 



4.9 Examples 

4.9.1 Creating a Chat Script 

Figure 4-29 displays a sample chat script. This script will send a series of text strings to the remote host, and 
will expect particular strings in return. If an expected string is not received from the remote host, the script 
will loop up to four times before the entire script fails. 



Figure 4-29: Creating a Chat Script 



Local>> 


DEFINE 


SITE 


irvine 


CHAT 


TIMEOUT 4 FAIL 


Local>> 


DEFINE 


SITE 


irvine 


CHAT 


SEND "" 


Local>> 


DEFINE 


SITE 


irvine 


CHAT 


EXPECT "login:" 


Local>> 


DEFINE 


SITE 


irvine 


CHAT 


SEND "user" 


Local>> 


DEFINE 


SITE 


irvine 


CHAT 


EXPECT "word:" 


Local>> 


DEFINE 


SITE 


irvine 


CHAT 


SEND "password" 



4.9.2 Creating a Simple Firewall 

Firewalls are used to protect a network or networks from unauthorized access. To set up a firewall, a filter 
list is used; packet traffic is compared to the filters in the list to determine whether or not it will be 
forwarded. In general, firewalls prevent all packet traffic, with the exception of traffic to a particular service 
or services. 

In this example, a network policy prevents all IP traffic, permitting only ICMP ping packets and email. 
Telent connections are permitted to only one secure host (192.0.1.4) on the local network. 
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4.9.3 Controlling Access During Weekend Hours 



Configurable time ranges are based on a Sunday-to-Saturday week. If you want to allow or restrict access 
for a time period that spans Saturday and Sunday, you need to use multiple commands. 

The following example restricts access during the weekend hours between 5:00 p.m. on Friday and 6:00 
a.m. on Monday. Two commands are used to configure the necessary blocks of time: one that spans Friday 
evening to Saturday just before midnight, and one that spans midnight on Sunday to Monday morning. 

Figure 4-30: Disabling Connections During the Weekend 

Local» DEFINE SITE irvine TIME ADD FRI 17 SAT 23:59 
Local» DEFINE SITE irvine TIME ADD SUN 0 MON 6 



Note: In the above example, it is assumed that the access default is "Enabled, " in 
which case connections are restricted during the specified time periods. 

The following example achieves the same result by first adding a time range from Monday morning to 
Friday evening. The access default is then set to Disabled, which allows connections only during the 
specified time period. 

Figure 4-31 : Enabling Connections During Weekdays only 

Local» DEFINE SITE irvine TIME ADD MON 6 FRI 17 
Local» DEFINE SITE irvine TIME DEFAULT DISABLED 
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This chapter explains some important concepts about IP addressing, configuration, and routing. 

To configure IP for remote networking, see Chapter 3, Basic Remote Networking, and Chapter 4, Additional 
Remote Networking. For specific IP commands, see IP Commands on page -15. 

5.1 IP Addresses 

Each TCP/IP node on a network has a unique IP address. The IP address provides the information needed 
to forward packets on the local network and across multiple networks if necessary. IP addresses are 
specified as n.n.n.n, where each n is a number from 0 to 254; for example, 192.0.1.99. You must assign the 
unit a unique IP address. This IP address will also be used for each individual serial port on the unit. 

IP addresses contain three pieces of information: the network, the subnet, and the host. 

The network portion of the IP address is determined by the network type: Class A, B, or C. 



Table 5-1 : Network Portion of IP Address 



Network Class 


Network Portion of Address 


Class A 


First byte (2nd, 3rd, and 4th bytes are the host) 


Class B 


First 2 bytes (3rd and 4th bytes are the host) 


Class C 


First 3 bytes (4th byte is the host) 



In most network examples, the host portion of the address is set to zero. 

Table 5-2: Available IP Addresses 



Class 


Reserved 


Available 


A 


0.0.0.0 
127.0.0.0 


1.0.0.0 to 126.0.0.0 


B 


128.0.0.0 
191.255.0.0 


128.1.0.0 to 191.254.0.0 


C 


192.0.0.0 
223.255.255.0 


192.0.1.0 to 223.255.254.0 


D,E 


224.0.0.0 to 255.255.255.254 
255.255.255.255 


None 



Consider the IP address 36.1.3.4. This address is a class A address, therefore, the network portion of the 
address is 36.0.0.0 and the host portion is 1.3.4. 

The subnet portion of the IP address represents which subnetwork the address is from. Subnetworks are 
formed when an IP network is pbroken down into smaller networks using a subnet mask. 
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Note: Subnetworks and subnet masks are discussed on page 5-6. 

A router is required between all networks and subnetworks. Generally, hosts can send packets directly only 
to hosts on their own subnetwork. All packets destined for other subnets are sent to a router on the local 
network. 

The host portion of the IP address is a unique number assigned to identify the host. 

5.1 .1 Setting the IP Address 

To set the IP address, use one of the following methods: an ARP entry and the Ping command, a BOOTP 
or RARP reply, or a terminal connected to the serial console port. All methods of setting the address are 
discussed in the following sections; choose the method that is most convenient for you. 

To access the unit, hosts must know the unit IP address. This is typically configured in the host's /etc/hosts 
file (UNIX) or via a nameserver. For configuration instructions, refer to the host's documentation. 

5.1 .1 .1 Using an ARP Entry and the Ping Command 

If the unit has no IP address, it will set its address from the first directed IP ICMP (ping) packet it receives. 
To generate such a packet, create an entry in a UNIX host's ARP table. The entry should specify the 
intended unit IP address and its current Ethernet address, which is located on the bottom of the unit. 

Figure 5-1 : Adding to the ARP Table 

# arp -s 192.0.1.228 00 : 80 : a3 : xx :xx : xx 



Note: Creating an ARP entry requires superuser privileges on the host. 
Ping the server using the following command. 

Figure 5-2: Ping Command 

unix% ping 192.0.1.22 8 



When the server receives the ping packet, it will notice that its own IP address is not currently set and will 
send out broadcasts to see if anyone else is using this address. If no duplicates are found, the server will use 
this IP address and will respond to the ping packet. The unit will not save this learned IP address 
permanently. It is intended as a temporary measure to enable EZWebCon to communicate with the server 
or allow an administrator to Telnet to the unit remote console port (port 7000). 

Note: The remote console port is discussed in Remote Console Sessions on page 5-11. 
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To make the IP address permanent, use the Define IP IP Address command. This command requires 
privileged status. 

Figure 5-3: Telnetting to the Remote Console Port 

% telnet xxx . xxx . xxx . xxx 7000 
Trying xxx . xxx . xxx . xxx 
Connected to xxx . xxx . xxx . xxx 
Escape character is ,A ]' 
# access (not echoed) 

SMC unit Version n.n/n (yymmddd) 

Type Help at the , Local>' prompt for assistance. 

Enter Username> bob 

Local> SET PRIVILEGED 

Password> system (not echoed) 

Local» DEFINE IP IPADDRESS 192.0.1.99 



5.1 .1 .2 Using a BOOTP or RARP Reply 

The unit IP address can be configured when the unit boots using information supplied by a host-based 
RARP or BOOTP server. For configuration information, see the host-based man pages. 

Many BOOTP daemons will not reply to a BOOTP request if the download filename in the configuration 
file does not exist. To get the BOOTP daemon to respond, create a file with the same pathname specified in 
the configuration file. 

5.1 .1 .3 From the Serial Console Port 

To define the IP address from the serial console port, connect a terminal to the unit and press the Return key. 

If the unit is booting when you press the Return key, a Boot> prompt appears. This prompt enables you to 
enter a special set of commands, the Boot Configuration Program (BCP) commands. To configure the IP 
address at this prompt, enter the following command. 

Figure 5-4: Configuring the IP Address Using BCP 

I Boot> SET SERVER IP IPADDRESS 192.0.1.221 



Note: For more information on Boot Configuration Program commands, refer to 
Appendix B of your Installation Guide. 

If the unit is running when you press the Return key, a Local_l> prompt will be displayed. The 1 represents 
port 1, the serial console port. To set the IP address at this prompt, you will need to become the privileged 
user by issuing the following commands: 

Figure 5-5: Becoming the Privileged User 

Local_l> SET PRIVILEGED 
Password> system (not echoed) 
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Once you've obtained privileged access, use the Set/Define IP IP Address command. 

Figure 5-6: Set/Define IP Address 

Local_l» DEFINE IP IPADDRESS 192.0.1.221 



5.1 .2 IP Addresses for Incoming Connections 

When the unit receives an incoming connection request (remote node or LAN to LAN), an IP address is 
negotiated for the caller. The address agreed upon depends on the caller's requirements; some don't have a 
specific address requirement, while others must use the same IP address each time they log into the unit. 

Note: PPP negotiation is covered in Chapter 6, PPP. 

If an incoming caller does not require the same address for each login, a dynamic address can be assigned 
from an address pool. See IP Address Pools on page 5-4 for configuration instructions. 

Some remote nodes or remote routers cannot be dynamically assigned an IP address. For example, a remote 
node may offer a service to other hosts on its network. If the other hosts are statically configured to use that 
IP address to contact the remote node, the node's IP address must not change. In this situation, two courses 
of action may be taken: the caller may be permitted to choose any address, or may be restricted to a specific 
address or range of addresses. 

Permitting the caller to choose an address presents a number of risks. If the caller chooses an unacceptable 
IP address (for example, the address of a server), it could affect the accuracy of routing tables elsewhere on 
the network. In addition, the caller could choose an IP address intended for another host, compromising 
network security. 

To avoid routing and security problems, the unit should restrict incoming callers to a particular address or 
range of addresses. This restriction may be defined in each site to force each caller to use a unique IP 
address; see Specifying IP Address Range for a Site on page 5-5 for configuration instructions. 

5.1 .2.1 IP Address Pools 

An address pool is a range of IP addresses that have been reserved for allocation to incoming callers. The 
range is defined for the entire server; in other words, an address pool cannot be defined for each site. 

To define an address pool, use the Set/Define IP Ethernet Pool command. You must specify both the 
beginning and end of the address range. 

Figure 5-7: Defining IP Address Pool 

Local» DEFINE IP ETHERNET POOL 192.0.1.50 192.0.1.59 



Note: Set/Define IP All Pool is not a valid command. The Ethernet parameter must be 
used. 

Ensure that the address pool is at least as large as the number of serial ports that can accept incoming 
connections. If all addresses in the pool are in use, incoming callers will not be assigned an IP address. 

The unit will automatically add host routes to the routing table for all addresses in the pool. When an 
address from the pool is assigned to an incoming caller, the route to the address will be announced in RIP 
broadcasts. 
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Addresses in the pool are automatically added to the unit ARP table. If proxy ARPing is enabled (see Proxy 
ARP on page 5-17), the unit will respond to ARP requests for these addresses, even when they aren't 
currently assigned. This enables the unit to defend the addresses in the pool; other hosts will not be able to 
use them. 

5.1 .2.2 Specifying IP Address Range for a Site 

Each site may specify a particular range of acceptable IP addresses. When an incoming caller requests to 
use a specific address, it will be compared to this range. If the address falls within this range, the connection 
will be permitted; if not, the connection attempt will fail. 

To specify the beginning and end of the range, use the Define Site IP Remoteaddress command. Two 
addresses must be specified: the beginning of the range and the end of the range. 

Figure 5-8: Specifying Range of Addresses 

Local» DEFINE SITE irvine IP REMOTEADDRESS 192.0.1.110 192.0.1.250 



Callers will not be permitted to use IP addresses with the host part of the address set to zero or -1. These 
addresses are reserved to identify broadcast packets. If the range that you specify includes such an address 
(for example, 192.5.6.0 or 192.4.2.255) and a caller requests this address, the connection will not be 
permitted. 

RADIUS can also be used to set the IP address range for a site. See Framed-lP-Address on page C-3 for 
more information. 

5.1 .2.3 Specifying a Specific IP Address for a Site 

To require that incoming callers to a particular site use a specific IP address, use the Define Site IP 
Remoteaddress command. You can only specify only one address. (If two address were specified, a range 
would be defined.) 

Figure 5-9: Specifying Specific IP Address 

I Local» DEFINE SITE irvine IP REMOTEADDRESS 192.0.1.108W 



When an incoming caller requests an IP address, it will be compared to this address. If they match, the caller 
will use the address. If the addresses do not match, the unit will terminate the call (hang up). 

5.1 .3 IP Addresses For Outgoing Connections 

By default, when a new site is defined, the unit IP address on that interface will be the IP address defined 
with the Define Site IP Address command. 

Certain remote hosts may require that the unit have a certain IP address on that interface. For example, a 
remote host may require that RIP updates be received from a particular IP address, or an address within a 
certain range. In these cases, a site-specific IP address may be configured for a particular interface. For 
example, site irvine may configure the unit IP address on its interface as 193.20.339.2, and site dallas may 
configure the unit address on its interface as 192.20.338.0. 

Note: The unit cannot be assigned an IP address by the remote host. 
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To change the IP address for a particular site's interface, use the Define Site IP Address command. 

Figure 5-10: Defining IP Address for a Site 

Local» DEFINE SITE irvine IP ADDRESS 192.0.1.220 

5.1.3.1 SLIP 

SLIP does not support negotiation of IP addresses. If a SLIP user requires the same IP address for each 
login, the user may enter the address using the Set SLIP command. 

Figure 5-1 1 : Specifying IP Address with Set SLIP Command 

Local» SET SLIP irvine 192.0.1.35 



If the port receiving the incoming call is dedicated to SLIP, a specific IP address may be assigned via a 
custom site. To define the address for the site, use the Define Site IP Remoteaddress command. 

Figure 5-12: Specifying IP Address for a Custom Site 

I Local» DEFINE SITE irvine IP REMOTEADDRESS 192.0.1.108 



If the user does not require the same address for each login, an address may be dynamically assigned from 
the address pool. To configure the range of addresses in the pool, use the Set/Define IP Ethernet Pool 
command. You must specify both the beginning and end of the address range. 

Figure 5-13: Defining IP Address Pool 

Local» DEFINE IP ETHERNET POOL 192.0.1.50 192.0.1.59 



All incoming SLIP users that do not use a custom site will use the default site for the connection. To require 
that default site users use an IP address from the pool, use the Define Site Default IP Remoteaddress 
command. 

Figure 5-14: Using the Address Pool for the Default Site 

Local» DEFINE SITE DEFAULT IP REMOTEADDRESS 192.0.1.100 192.0.1.105 



5.2 Subnet Masks 

IP networks can be divided into several smaller networks by subnetting. When you request a connection, 
the unit decides whether the desired TCP/IP host is on the local network segment with the help of the subnet 
mask. The mask identifies the network and node parts of the IP address, which is then applied to the 
addresses of both the unit and the remote host. If the resulting addresses are identical, the connection is 
deemed local and the host is contacted directly. If not, the connection attempt and all subsequent messages 
to this host will be directed to the unit's gateway host for forwarding. All hosts must agree on the subnet 
mask for a given network. 

For example, IP address 128.1.150.35 is on a class B network. The network portion of this address is 128.1. 
This large network can be broken down into 254 networks using a subnet mask of 255.255.255.0, which 
makes the network portion 128.1.150. 
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It is not always necessary to divide a network into subnetworks. To determine whether subnetting is 
required, a number of factors should be considered, including the network size and whether or not network 
traffic needs to be isolated in a particular area. 

When you configure the IP address for the first time, a default subnet mask will be configured automatically. 
This default subnet mask should work for most networks. If your network is divided into subnetworks, you 
will need to create a custom subnet mask. To override the default subnet masks, use the Set/Define IP 
Subnet Mask command. 



Figure 5-15: Setting the Subnet Mask 



Local» DEFINE IP SUBNET MASK 255.255.0.0 



It is also possible to learn a subnet mask from BOOTP, though not all BOOTP server implementations 
support sending subnet masks. Check your BOOTP server's documentation. 

To display the subnet mask, use the Show IP command. 

Figure 5-16: Show IP Output 



Local» SHOW IP 

SMC* Version Bl . l/102int (951128) 

Hardware Addr: 00-80-a3-0b-00- 
IP Address: 192.0.1.221 



5b 



Name : 
Uptime : 
Subnet Mask: 



DOC_SERVER 
1 Day 22:49 
255.255.255.0 



The unit will not change the subnet mask once it is set. If the unit IP address is changed to a different class, 
for example, from a class B to a class C address, the subnet mask will remain a class B address. 

The unit supports CIDR (classless routing). CIDR allows Internet Service Providers (ISPs) to group blocks 
of class C networks into larger networks. Your ISP will provide you with the appropriate subnet mask. If 
you enter a CIDR subnet mask with the Set/Define IP Subnet command, the unit will display a reminder 
that classless routing is being used. 

Figure 5-17: Using Classless Routing 



Local» DEFINE IP ADDRESS 192.0.1.1 
Local» DEFINE IP SUBNET 255.255.240.0 
%Info: Supernet (CIDR) mask set. 



5.2.1 Length of Subnet Masks 

Variable length subnet masks divide networks into subnetworks of different sizes. For example, if network 
128.1.0.0 used variable length subnet masks, the subnet 128.1.4.0 might have subnet masks 255.255.255.0, 
and subnet 129.1.224.0 might have subnet mask 255.255.255.240. 

For the unit to function properly, all subnetworks within a particular network must use the same subnet 
masks even if each network has a subnet mask of a different length. 
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5.3 Name Resolving 

TCP/IP hosts generally have an alphanumeric host name, such as athena, as well as a numeric IP address, 
such as 192.0.1.35. As a text host name may be easier to remember than an IP address, users may use this 
name to refer to the host during a Telnet connection attempt. 

Network hosts do not understand alphanumeric (text) host names. When a text name is used, the unit must 
translate it into its corresponding IP address. The translation process is called name resolution. 

To resolve a name, the unit can use one of two resources: its local name table, or the Domain Name Service 
(DNS). For example, suppose user Bob wishes to telnet to athena.com. The unit will consult its local host 
table; if the name doesn't exist, the unit will attempt to resolve the name using the DNS. If the name cannot 
be resolved, the IP address must be entered in order to access the host. 

Some host names and IP addresses are added to the local host table by rwho packets, periodically 
broadcasted by UNIX hosts that support the rwho protocol. If addresses are not learned from rwho packets 
and DNS is not available, hosts may be manually added to the table. See Adding Hosts to the Host 
Table on page 5-9 for instructions. 

To use the DNS, the unit must know the IP address of the DNS server, called the Domain Name Server. 

5.3.1 Configuring the Domain Name Service (DNS) 

To use the DNS for name resolution, use the Set/Define IP Nameserver command. 

Figure 5-18: Setting the Domain Name Server 

Local. » DEFINE IP NAMESERVER 192.0.1.166 



To specify a backup nameserver, use the Set/Define IP Secondary Nameserver command. If the first 
nameserver isn't available, request will be sent to the secondary server. 

5.3.2 Specifying a Default Domain Name 

A default domain name may be configured using the Set/Define IP Domain command. This domain name 
will be automatically appended to any host name during name resolution. 

Figure 5-19: Configuring a Default Domain Name 

Local» DEFINE IP DOMAIN ctcorp.com 



In the example above, the default domain name is ctcorp.com. If user Bob typed telnet athena, the unit 
would automatically append the domain suffix and attempt to resolve athena.ctcorp.com. 

If a hostname is entered that ends with a period ("."), the unit will not add the domain suffix to the hostname 
for resolution. 
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5.3.3 Adding Hosts to the Host Table 

If the DNS is not available on your network, hosts may be manually entered in the local host table using the 
Set/Define Hosts command. 

Figure 5-20: Adding a Host to the Local Host Table 

I Local» DEFINE HOST athena 192.0.1.15 



To display the current entries in the host table, use the Show Hosts command. 



Figure 5-21 : Displaying Host Table Entries 



Local» SHOW HOSTS 








IP Address 


Host 


TTL 




192.0.1.15 


ATHENA 


8 min 


(Rwho) 


192.0.1.123 


MERCURY 


8 min 


(Rwho) 



To remove an entry from the host table, use the Clear/Purge Hosts command. 

Figure 5-22: Deleting a Host From the Host Table 

Local» PURGE HOST mercury 



5.4 Sessions 

When you log into an unit port to connect to a network service, your connection is referred to as a session. 
A network service may be an interactive login to a TCP/IP host, a connection to a modem on the unit, 
another server, etc. 

Note: The word "sessions" in this manual is used to describe interactive connections; 
PPP or SLIP connections are not referred to as sessions. 

The following section explains how to establish sessions and set up connection characteristics. Specific port 
configuration and other session characteristics are discussed in Chapter 7, Ports. 

To display the current sessions, use the Show Sessions command. The port number and username will be 
displayed, along with the connection type and current number of sessions. 



Figure 5-23: Displaying the Current Sessions 



Local» SHOW SESSIONS 










Port 17: bob Telnet 


Login 


Current : 2 






Session 1 Telnet 


ATHENA 


Interactive 


(Cr, 


Del) 


Session 2 Telnet 


HERCULES 


Interactive 


(Cr, 


Del) 
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5.4.1 Telnet and Rlogin Sessions 

Telnet is an industry-standard protocol that enables users anywhere on a network to access a remote host 
and start a terminal session. Telnet connections do not require that either end of the connection know the 
hardware/software used on the other end; for example, if user Bob connects to host athena's platform (see 
Figure 5-24), athena doesn't know what terminal type Bob is using, and Bob doesn't know athena's 
platform or operating system. 

Figure 5-24: Telnet Connections 



Modem Modem 




Terminal 



Host "athena" 




Terminal 



Rlogin connections are similar to Telnet connections, however, Rlogin enables trusted users to log into a 
host without password verification. 

5.4.1.1 Outgoing Telnet/Rlogin Connections 

To establish an outgoing Telnet connection, use the Telnet command. To establish an outgoing Rlogin 
connection, use the Rlogin command. Either a text host name or an IP address may be specified. 

Figure 5-25: Outgoing Telnet/Rlogin Connections 

Local>> TELNET athena 
Local» TELNET 192.0.1.15 
Local» RLOGIN 192.0.1.15 



Note: For information on resolving host names, see Name Resolving on page 5-8. 

By default, Telnet and Rlogin connections will be made to a preset port number. To connect to a different 
port number, use the Telnet/Rlogin commands in conjunction with a port number (prefaced by a colon). 

Figure 5-26: Telnetting to a Specific Port Number 

Local» TELNET athena: 145 
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If the unit port has been configured with a terminal type (such as VT100), this information will be sent to 
the remote host during the session. To configure the terminal type, use the Set/Define Ports TermType 
command. 

Figure 5-27: Setting Term Type 

Local» DEFINE PORT 2 TERMTYPE VT100 



Rlogin can be a security problem. When the unit attempts an outgoing Rlogin connection, the unit will send 
the username specified when the user logs into the unit. If a user is not authenticated during the unit login 
process, an unauthorized username may be used to Rlogin to remote hosts. The easiest way to avoid this 
problem is to disable outgoing Rlogin connections. 

Figure 5-28: Disabling Outgoing Rlogin Connections 

Local» DEFINE SERVER RLOGIN DISABLED 



Another way to secure your network is to ensure that the unit is not a trusted host on any UNIX hosts on the 
network. This solution is not foolproof, however, a user could still add the unit to a UNIX host's .rhost file. 

5.4.1.2 Incoming Telnet/Rlogin Connections 

By default, the unit will permit incoming Telnet and Rlogin connections. If this poses a security problem 
on your network, these connections can be disabled, restricted with a password requirement, or restricted 
using the IP security table. 

To disable incoming Telnet/Rlogin connections, use the Set/Define Server Incoming command. 
Figure 5-29: Disabling Incoming Telnet/Rlogin Connections 

I Local» DEFINE SERVER INCOMING NONE 



To require the login password for incoming Telnet/Rlogin connections, use this command: 

Figure 5-30: Requiring the Login Password 

I Local» DEFINE SERVER INCOMING PASSWORD 



To restrict incoming Telnet and Rlogin connections using the IP security table, see IP Security on page 5-12. 

5.4.2 Remote Console Sessions 

The remote console port, designated as port 7000, provides users with a fail-safe way to log into the unit. 
Remote console logins cannot be disabled, therefore, if incoming logins are disabled, a remote console login 
will be the only way to remotely access the unit. 

The remote console prompt cannot be changed, even with the Set/Define Server Prompt command. If your 
configuration requires that a script be used to communicate with the unit, the script can depend on receiving 
the same prompt from the unit each time that it runs. 
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5.4.2.1 Logging Into the Remote Console Port 

To Telnet to the remote console port, use the Telnet command. Specify the IP address of the unit followed 
by the remote console port number. 

Figure 5-31 : Telnetting to the Remote Console Port 

% telnet xxx . xxx . xxx . xxx 7000 
Trying xxx . xxx . xxx . xxx 
Connected to xxx . xxx . xxx . xxx 
Escape cgaracter is ,A 
# 



At the # prompt, enter the login password. The default login password is access. 

Note: To change the login password, see Set/Define Server Login Password on page - 
106. 

Figure 5-32: Entering the Login Password 

# access (not echoed) 
Version n.n/n (yynmdd) 

Type HELP at the , Local>' prompt for assistance. 
Enter username> bob 



5.4.2.2 Configuring the Remote Console Port 

Remote console connections are associated with a virtual (rather than physical) port. For virtual port 
configuration instructions, see Virtual Ports on page 7-19. 

The remote console port cannot be associated with preferred or dedicated services or protocols. To ensure 
that the remote console port is always accessible, it cannot be restricted using IP security or username/ 
password authentication. 

5,5 IP Security 

IP security allows an administrator to restrict incoming and outgoing TCP/IP sessions, access to ports, and 
print jobs. Connections are allowed or denied based upon the source IP address for incoming connections 
and print jobs and the destination IP address for ougoing connections. 

IP security for connections can be set to Incoming Enabled/Disabled, Ougoing Enabled/Disabled, or Both. 
Incoming refers to users on other hosts attempting to log into the unit. Outgoing refers to local users 
connecting to other TCP/IP hosts. The Both parameter enables or disables both Incoming and Outgoing 
connections. IP security for printing can be set to Enabled or Disabled. The printing setting affects both 
LPR and RTEL print jobs from the specified hosts. 

Note: By default, there are no IP security restrictions. 

IP security will not affect the remote console port. To secure the remote console port, ensure that the login 
password has been changed from the default login password (see Set/Define Server Login Password on 
page -106). 
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5.5.1 Configuring the Security Table 

The IP security table provides rules for checking a TCP/IP connection for legality. To configure the IP 
security table, use the Set/Define IP Security command. To add an entry to the table, specify an IP address, 
a list of affected ports, and what type of restriction is desired. The IP address must be four segments of 0- 
255 each; for example, the address 131.67 is not valid. Figure 5-33 displays two example entries. 

Figure 5-33: Set/Define IP Security Commands 



Local» DEFINE IP SECURITY 192.0.1.255 OUTGOING DISABLED PORT 3 
Local» DEFINE IP SECURITY 192.0.5.255 PRINTING DISABLED 



The first command prevents port 3 from beginning sessions with hosts whose addresses range from 
192.0.1.1 through 192.0.1.254 using the 255 "wildcard" network address segment. A 255 in any segment 
applies to all numbers in that range — 192.0.1.255 includes 192.0.1.1, 192.0.1.2, and so on. The second 
command addresses from 192.0.5.1 through 192.0.5.254 using the the wildcard segment. It prevents nodes 
in that range from sending print jobs to the server. 

A more specific rule takes precedence over a less specific one. For example, if connections to 192.0.1.255 
are disabled but connections to 192.0.1.78 are enabled, a connection to 192.0.1.78 will succeed. If no 
entries are defined in the table, all connection attempts will succeed. To ensure that all connections will fail 
unless directly specified in another entry, enter the following command: 

Figure 5-34: Set/Define IP Security Commands 



Local» SET IP SECURITY 255.255.255.255 INCOMING DISABLED OUTGOING DISABLED 



Note: If the user making the connection is the privilved user (see the Set Privileged/ 
Noprivileged command), the connection will be allowed regardless of the entries 
in the table. 

A trailing zero in any address segment is shorthard for "all addresses in this range, both incoming and 
outgoing disabled, for all ports." For example, the following two commands are equal. 

Figure 5-35: Set/Define IP Security Commands 



Local» DEFINE IP SECURITY 192.0.1.0 

Local» DEFINE IP SECURITY 192.0.1.255 OUTGOING DISABLED INCOMING DISABLED 



Finally, port zero corresponds to the virtual ports (that is, users who log into the server from the network). 
If no ports are specified on the command line, the command will affect all local and virtual ports. 

Note: For a descripion of virtual ports, see Virtual Ports on page 7-19. 

5.5.2 Clearing Table Entries 

Individual entries can be cleared by doing a Clear (or Purge) IP Security with no parameters other than 
the address. 

Figure 5-36: Clear IP Security Command 

Local» CLEAR IP SECURITY 192.0.1.102 
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The entire security table can be cleared with the following command. 

Figure 5-37: Clearing the Security Table 

Local» CLEAR IP SECURITY ALL 



5,6 IP Routing 

TCP/IP internets are usually broken down into networks. Each host on a particular network can only see 
hosts on its network; to transfer network traffic to other networks, router (also called gateways) are required. 
Routers are typically connected to two or more networks. 

The unit serves as a router for the networks that it is directly connected to. To determine the path to other 
routers on the network, the unit will listen to network broadcast packets (for example, RIP packets); routers 
will advertise themselves in these packets. 

The unit must be positioned between two networks in order for routing to work correctly. If two or more 
units are used, the units cannot be on the same network (as in Figure 5-38). 

Figure 5-38: Two Units Used to Link the Same Network 



192.1^1 ^ ^192.1.1.5 



5.6.1 How Packets are Routed 

When an IP host tries to send a packet, it looks to seeif the destination address is on the same network as 
the host's IP address. If it is, the host sends the packet directly to its destination. If the packet is destined for 
a different network, the host sends it to a router (in this case, the unit). 

When the unit receives the packet, it examines the packet's destintation address, determines the most 
efficient route to this address, and forwards the packet to this location. The "most efficient route" is 
determined using two factors: the network that the address is part of and the unit routing table, which is 
discussed in the following section. 

5.6.2 Routing Tables 

The unit uses a routing table to keep track of which networks are reachable, and the shortest route to each 
network. A typical routing table entry consists of the destination network, and which router is the best path 
to that network. Routing tables also keep track of the cost or metric required to get to a given network. 
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5.6.2.1 Types of Routes 

There are three types of routes: host, network, and default. 
Host Routes 



Network Routes 



A Host Route is a route to a single host. Generally, a host route is entered for 
each Remote Node that logs into the unit. 

A network route is a route to another network. A network route is used if a host 
route to the destination doesn't exist. 



Default Routes A default route is used if a more specific host or network route isn't available. 

It is used to cut down on the size of routing tables and dynamic routing protocol 
updates. If, for example, the unit is the only path for network packets to reach 
a much larger group of networks, the unit can be configured to advertise itself 
as the default route. 



Note: See Set/Define IP Route Default on page -25 and Define Site IP Default on page 
-125. 

An unit in a small sales office might have a default route that points to the corporate headquarters. The unit 
doesn't need to know about all of the routes on the headquarters network. It only knows to send all otherwise 
unspecified traffic to the central location, where it will be routed to the final destination. 

5.6.2.2 Adding Routes to the Table 

Entries may be added to the routing table in three ways: locally, statically, or dynamically. 

Locally When a route is added locally, it is automatically determined from the unit IP 

address and network mask. The unit always keeps a local route to the Ethernet 
that is attacked to; this route is never deleted. 
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Statically Statically-entered routes are entered and removed by the administrator. These 

routes are used when dynamic routes cannot be. 

To add a static route to the routing table, use the Set/Define IP Route 

command. A destination and a path to that destination must be specified. The 
destination may be an IP network, subnetwork, or host. 

The path may be another router on the Ethernet or a site. To specify that 
theroute is another router, use the Nextrouter parameter. To specify that the 
route is to a site, use the Site parameter. The Site parameter indicates that a 
particular site should be started to forward the packet. The site will handle any 
remote connections necessary to forward the packet (for example, dialing 
another LAN). 

A metric will be associated with the route to indicate its "cost." The unit will 
use the route to determine the most efficient route; routes with a lower cost will 
be chosen over routes with a higher cost. If a metric is not specified, the unit 
will assign a metric of 1 to the route. 



Figure 5-39: Adding Static Routes 



Local>> 


DEFINE 


IP 


ROUTE 


192 


5 


4 


0 


NEXTROUTER 192.0.1.1 4 


Local>> 


DEFINE 


IP 


ROUTE 


192 


5 


3 


0 


SITE dallas 



In the above example, the first command specifies that the route to network 
192.5.4.0 is through another router, 192.0.1.1. The route was assigned a metric 
of 4. 

The second command specifies that the route to network 192.5.3.0 is through 
site dallas. As a metric is not specified, the unit will assign this route a metric 
of 1. When the unit receives traffic destined for network 192.5.3.0, if this route 
is determined to be the most efficient route, site dallas will be started and will 
forward the packet. 

To enter a static default route, use the Set/Define IP Route Default command. 



Figure 5-40: Adding Default Routes 



Local>> 


DEFINE 


IP 


ROUTE 


192 


0 


1 


0 


DEFAULT 


SITE internet 


Local>> 


DEFINE 


IP 


ROUTE 


192 


0 


2 


0 


DEFAULT 


NEXTROUTER 192.0.1.1 2 



Dynamically These routes are automatically learned from other routers on the network and 

are managed by a dynamic routing protocol. The unit currently supports one 
dynamic routing protocol, RIP. Routes are automatically entered when new 
networks come online, and automatically removed if the networks are no 
longer reachable. 

Dynamic routes learned via sites are the exception; they are never timed out. 
The unit assumes that these networks are reachable by bringing up a link. This 
allows the unit to learn about extended networks at the remote site without the 
administrator's intervention. 
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5.6.3 RIP 

RIP (Routing Information Protocol) is the dynamic routing protocol supported by the unit. Throughout this 
manual, the term "RIP" refers to RIP version 1. RIP is automatically enabled on all unit interfaces, including 
sites. For a complete discussion of RIP options, including disabling RIP, see RIP on page 4-3. 

Note: RIP is described in RFC-1058. 

Normally, RIP listens to routing table updates from any source. This can lead to problems if a misconfigured 
host accidentally begins sending incorrect informatin via RIP. It may also lead to security or denial of 
service attacks by a malicious user who is capable of sending false RIP messages. 

The unit can be configured to listen only to RIP updates from a list of trusted IP addresses. See Set/Define 
IP Trusted on page -29 for details. This is not entirely foolproof however, as a sophisticated attacker could 
still send RIP updates as one of the trusted addresses and potentially defeat the system. 

5.6.4 Proxy ARP 

Proxy ARPing enables the unit to respond to ARP requests for other addresses. When a Proxy ARPing is 
enabled, the unit will respond to ARP requests for all addresses in its routing table. 

Proxy ARPing allows remote nodes to appear as if they were on the same Ethernet segment as the unit. This 
feature is particularly useful for hosts that do not support RIP; the Ethernet hosts will not need to use routing 
information to forward traffic destined for these hosts. 

To enable proxy ARP, use the Set/Define IP All/Ethernet Proxy- ARP command. 

Figure 5-41: Enabling Proxy ARP 

I Local» DEFINE IP ETHERNET PROXY-ARP ENABLED 



The unit will not respond to ARP requests for routes learned from the Ethernet, or for routes that aren't 
explicitly listed in the unit routing table. 

5.6.5 Using the NetBIOS Nameserver (NBNS) 

Windows 95 users can run NetBIOS over IP and use the DNS for name resolution, or a primary or secondary 
NetBIOS nameserver (NBNS). 

To specify a NetBIOS nameserver, use the following command. A secondary NetBIOS nameserver can be 
configured if desired. 

Figure 5-42: Setting the Domain Name Server 

Local» DEFINE IP NBNS 192.0.1.178 



NBNS will allow Windows 95 clients to use the Network Neighborhood browser without any additional 
configuration on the Windows 95 host. 

Note : NBNS is also called WINS. 
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5.6.6 Routing and Subnetworks 

When dividing a network into subnetworks, ensure that subnetworks are contiguous. The unit uses RIP to 
learn routing information; if subnetworks are not contiguous, RIP cannot correctly inform the unit of the 
route to a particular network. 

Figure 5-43 gives an example of discontinuous subnetworks. 

Figure 5-43: Discontinuous Subnetworks 



192.0.2.0 



192.1.2.0 



192.0.3.0 



192.0.4.0 



192.0.5.0 



5.7 Displaying the IP Configuration 

The Show IP commands display IP configuration information, including information about the IP router, 
IP interfaces, and IP address of the remote host. To display the basic IP router configuration, use the Show 
IP command without any additional parameters. 

Figure 5-44: Show IP Output 



Local» SHOW IP 

SMC* Version Bl . l/102int (951128) 
Hardware Addr: 00-80-a3-0b-00-5b 



IP 



TCP 



I CMP 



IP Address: 
Name server : 
Domain Name : 
Timeserver : 
IP Routing: 



Frames : 
Fragments : 



192.0.1.53 
(undefined) 
(undefined) 
(undefined) 
Enabled 

Received 

431535 

0 



Frames: 4 616 

Invalid Frames : 1 0 
Retransmissions: 0 

Frames: 53 ICMP Reasons: 0045 



Name : 
Uptime : 



DOC_SERVER 
3 Days 02:07 



Subnet Mask: 
Backup Nameserver: 
Host Limit: 
Backup Timeserver: 



255.255.255.0 

(undefined) 

200 

(undefined) 



Sent 

13520 

0 

4046 



Seconds since zeroed 270144 
Errors : 0 



Connect Failure Reasons: 0000 
Invalid Packet Reasons: 0030 



The Show IP Interface command displays a one-line summary for each interface that the router has. There 
will always be an interface for the Ethernet, as displayed in Figure 5-45. When sites are active, interfaces 
to these sites will be displayed. 
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The Uptime field displays how long (in days:hours:minutes format) each interface has been active. The 
Lastin field displays the duration since the last packet arrived on a particular interface. The Lastout field 
displays the duration since the interface sent outgoing traffic. 



Figure 5-45: Show IP Interface Output 



Local» SHOW IP INTERFACE 






SMC* Version Bl . l/102int (951128) 


Name : DOC_SERVER 




Hardware Addr: 00-80-a3-0b-00-5b 


Uptime: 3 Days 02:07 




Name IP Address Remote IP Address 


Uptime Lastin 


Lastout 


Ethernet 192.0.1.221 


74:07:04 0:00 


0:00 



When used in conjunction with a particular site's name, the Show IP Interface command displays 
information about the site's interface, including its IP address, subnet mask, IP address of the remote host, 
and RIP statistics. 



Figure 5-46: Show IP Interface for a Particular Site 



Local» SHOW IP INTERFACE irvine 






SMC* Version Bl . l/102int (951128) 


Name : DOC_SERVER 


Hardware Addr: 00-80-a3-0b 


-00-5b 


Uptime: 3 Days 02:07 




20:42:54 




Name bob 




Type : Dialup 


Netstate: Running 




Device/Ref count : lm0:/002 


IP Address: 192.0.1. 


221 


Remote Address: 192.0.1.245 


Netmask: 255.255. 


255.0 


Network: 192.0.1.0 


TimeToLive Cost : 0 




Largest Packet (MTU) 1500 


Pool Range Start : (undefined) 


Pool Range End: (undefined) 


Pool Status: Invalid 




Pool Addresses In Use:0 


Listen to RIP Packets: 


Enabled 


Send RIP Packets: Enabled 


Rip Update Time (seconds) : 


30 


Rip Metric: 1 


Default Interface: 


Disabled 


Trusted Routers: Disabled 


Proxy Arp: 


Disabled 




Packets In: 622 




Packets Out: 1190 


Packets In Filtered: 0 




Packets Out Filtered: 0 


Packet Errors : 0 




Uptime: 04:03 


Last Packet In: 0:00 




Last Packet Out: 0:00 


Last Routed Packet In: 0:00 




Last Round Packet: 0:00 



The Show IP Route command displays the routes currently in the unit routing table. 

Figure 5-47: Show IP Route Output 



Local» SHOW IP ROUTE 



SMC* Version 


Bl.l/102int (951128 


) 


Name : 


DOC_SERVER 


Hardware Addr 


00-80-a3-0b-00-5b 




Uptime : 


3 Days 


02:07 


Destination 


Next Router 


Metric 


Source 


Timer 


Interface 


Default Route 


192.0.1.70 


3 


RIP 


02:31T 


Ethernet 


192.4.4.0 


192.0.1.202 


3 


RIP 


02:51T 


Ethernet 


192.0.1.0 


192.0.1.57 


2 


Local 




Ethernet 


192.3.5.0 


192.0.1.238 


1 


RIP 


02:48T 


Ethernet 



The Source field indicates how the route was added to the table; statistically, locally, or from RIP. 
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The Timer field displays how long (in minutes:seconds format) the unit will continue to use this route. For 
static and local routes, this field will display a series of dashes ( — ); these routes are never timed out. 



If a "T" is displayed on the right of the Timer value, the value represents the route's time-to-live. If a RIP 
update for the route is not received within this time period, the route will be marked as unreachable, and the 
T will be changed to a "D" to denote that the route is invalid, but isn't ready to be deleted yet. If "Exp" is 
displayed, the route is about to be deleted from the table. 

The Interface field displays the interface used to forward packet traffic. 

5.8 Examples 

5.8.1 IP Address Assignment for Remote Networking 

An unit handles incoming calls from a series of remote node users. Two of these users, Bob and Frank, have 
special IP address requirements. 

The unit must be configured to do the following: 

♦ Assign the same IP address to Bob each time he logs in. 

♦ Permit Frank to select his own IP address. 

Note: In general, allowing user-selected IP addresses is not recommended. It poses 
some security risks and could result in duplicate IP addresses. 

♦ Dynamically assign IP addresses to the remaining remote node users from an IP address pool. Only 
five unit ports have been configured to accept incoming calls, therefore, only five IP addresses must 
be included in the pool. 

Bob will use site bob when he logs into the unit. At authentication time, he will be prompted for the site's 
local password, badger. He will be assigned IP address 192.0.1.108. 



Figure 5-48: Configuring Site bob 



Local» 


DEFINE 


SITE 


bob 


IP REMOTEADDRESS 192.0.1.108 


Local» 


DEFINE 


SITE 


bob 


AUTHENTICATION LOCAL "badger" 



When Frank logs into the unit, he will use site frank, which requires that he enter the password wallaby. 
No remote IP address is defined for this site, therefore, Frank may use any IP address he wishes. 

Figure 5-49: Configuring Site frank 



Local» DEFINE SITE frank AUTHENTICATION LOCAL "wallaby 



To create the IP address pool, use the following command: 

Figure 5-50: Creating IP Address Pool 

|Local» DEFINE IP ETHERNET POOL 192.0.1.100 192.0.1.105 
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All incoming callers that do not specify a particular site (such as bob or frank) will use the default site for 
the connection. To require that default site users use an IP address from the pool, use the Define Site 
Default IP Remoteaddress command. 



Figure 5-51 : Using the Address Pool for the Default Site 



Local» DEFINE SITE DEFAULT IP REMOTEADDRESS 192.0.1.100 192.0.1.105 



5.8.2 General IP Setup 

The following figure illustrates the commands required for the average IP setup: 



Figure 5-52: General IP Configuration 



Local» 


DEFINE 


IP 


ADDRESS 192.0.1.11 








Local» 


DEFINE 


IP 


SUBNET 255.255.255.0 








Local» 


DEFINE 


IP 


NAMESERVER 192.0.1.45 








Local» 


DEFINE 


IP 


SECONDARY NAMESERVER 192 


0 


1 


184 


Local» 


DEFINE 


IP 


DOMAIN "ctcorp.com" 








Local» 


DEFINE 


IP 


TIMESERVER 192.0.1.45 








Local» 


DEFINE 


IP 


SECONDARY TIMESERVER 192 


0 


1 


455 



5.8.3 Adding Static Routes 

All IP packets to unknown networks must be forwarded to Internet gateway router 192.0.1.110. A default 
route to this router must be configured on the unit, and the route must be included in RIP updates to other 
routers. The route must have a metric of 2. 

Figure 5-53: Default Route to Router 

Local» DEFINE IP ROUTE DEFAULT NEXTROUTER 192.0.1.110 2 



Another router, 192.0.1.99, provides access to the network 192.1.1.0. This route must also be assigned a 
metric of 2. 

Figure 5-54: Static Route to Router 

Local» DEFINE IP ROUTE 192.1.1.0 NEXTROUTER 192.0.1.99 2 



5.8.4 Default Routes to a Site 

All IP packets to an unknown network must be forwarded to the Internet access provider. Site internet is 
used to manage connections to this location. 

A default route to internet must be configured on the unit. The route must be included in RIP updates to 
other routers; it must have a metric of two. 

Figure 5-55: Default Route to Site 

Local» DEFINE IP ROUTE DEFAULT SITE internet 2 
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PPP, the Point-to-Point Protocol, is used to transmit high layer protocols over a serial link, ISDN 
connection, or other point-to-point based connection. PPP supports authentication, escape sequences for 
flow control characters, loopback detection, and per-packet checksums. 

Two major components of PPP are discussed in the following sections: 

♦ LCP on page 6-1 discusses the Link Control Protocol (LCP). 

♦ NCP on page 6-3 discusses Network Control Protocols (NCPs). 
The final section discusses Starting PPP on page 6-3. 

PPP is also discussed in Chapter 3, Basic Remote Networking. 

6.1 LCP 

The Link Control Protocol (LCP) is used by PPP to negotiate basic characteristics of the connection. These 
characteristics include packet size, header compression, control character escaping, and authentication 
mechanisms. 

Note: LCP is documented in RFCs 1661 and 1662. 

6.1.1 Packet Sizes 

Both sides negotiate the size of the packets each can receive. Packet size is also known as Maximum 
Receive Unit (MRU). The MRU need not be the same in each direction. The unit MRU is 1522 bytes. 

To configure the maximum packet size that can be received from a remote node, set the Maximum 
Transmission Unit (MTU), or maximum packet size, with the Define Site MTU command. 

6.1 .2 Header Compression 

PPP frames each packet with certain data fields, some of which may be omitted or compressed (see Define 
Ports PPP on page -58 for details). PPP header compression is enabled by defautl on all unit ports. To 
disable header compression, use the following command. 

Figure 6-1 : Disabling PPP Header Compression 

I Local» DEFINE PORT 2 PPP HEADERCOMPRE SSI ON DISABLED 



6.1 .3 Character Escaping 

PPP can be configured to substitute a two byte sequence of characters for specific characters. The subsituted 
characters are sent instead and the recipient translates them back into the original characters. This 
substitution is called character escaping. 
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Escaping characters is often used with XON/XOFF flow control. This method of flow control, used with 
many modems, involves treating two characters (hex 0x11 and hex 0x13) in a special manner. 

Applications that use these characters (such as certain text editors) may incorrectly trigger XON/XOFF flow 
control. If a user enters Ctrl-S (hex 0x13) or Ctrl-Q (hex 0x11), these characters won't be transmitted; 
they'll be interpreted as flow control characters and removed from the data stream. 

PPP can escape values between 0x00 and Oxlf (inclusive). To do this, PPP uses a 32-bit Asynchronous 
Character Control Map (ACCM). For each character to be escaped, that corresponding bit is set in a 
hexadecimal format in the ACCM. For XON/XOFF flow control, the ACCM would be OxOOOAOOOO. 

Note: The values 0x7d and 0x7e are always escaped. 

To escape a particular character, use the Define Ports PPP ACCM command. To automatically escape the 
XON/XOFF flow control characters, use the XONXOFF parameter. To escape all control characters, enter 
Oxffffffff as the ACCM value. These options are all shown in Figure 6-2. 



Figure 6-2: Escaping Characters 



Local>> 


DEFINE 


PORT 


2 


PPP 


ACCM 


OXOOOAOOOO 


Local>> 


DEFINE 


PORT 


2 


PPP 


ACCM 


XONXOFF 


Local>> 


DEFINE 


PORT 


2 


PPP 


ACCM 


Oxffffffff 



If the port is set for XON/XOFF flow control, the XON/XOFF characters are automatically added to any 
configured ACCM. 

6.1 .4 PPP Authentication 

PPP supports two authentication methods: the Challenge Handshake Authentication Protocol (CHAP) and 
the Password Authentication Protocol (PAP). Both protocols involve a pre-assigned password. 

♦ CHAP authentication begins with a challenge message from the unit to verify its peer. The peer 
receives the challenge, uses its password to encrypt the challenge, and responds. The authenticating 
unit then checks the response against what is expected, and either accepts or rejects the authentication 
attempt. At no time is the password transmitted over the link. 

♦ PAP, a simpler protocol, involves transmitting the username and password over the link in plain text. 
If the unit is authenticating to an unauthorized peer, the password could be compromised. 

6.1.4.1 Configuring CHAP and PAP 

The unit may be configured for PPP authentication in one of three ways: 

1 Remote hosts must authenticate themselves 

2 The unit authenticates itself to remote hosts 

3 Remote hosts and the unit authenticate each other 

PAP and CHAP may be enabled on each port and each site. If both CHAP and PAP are configured for 
authentication, CHAP authentication will be attempted first. If the peer does not support CHAP, PAP will 
be attempted instead. 
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On incoming connections, the port's CHAP or PAP configuration will be used to determine the 
authentication required for the connection. For example, imagine that a remote node was logging into port 
2 on the unit. If port 2 was configured to use PAP to authenticate remote hosts, the remote node would be 
prompted to authenticate itself. 

Outgoing connections use the site's CHAP or PAP configuration. For example, imagine that site irvine was 
initiating an outgoing connection to a remote router. If the remote site required the unit to authenticate itself 
using CHAP and CHAP was enabled on site irvine, the unit would offer its username and password to the 
remote site. 

Use caution when using CHAP/PAP authentication because configuring both a local and a remote password 
on the same site could compromise security. If a site with both local and remote passwords defined receives 
an incoming call, during the LCP negotiation process the site will say that it is willing to transmit both 
passwords.The passwords will not be automatically transmitted, but the site will let the user know that it is 
willing to do so if required. If the user requires the unit to authenticate itself, the unit will transmit the remote 
password over the link, thereby give the user a password to access the server. 

Note: For a complete description of authentication, refer to Chapter 10, Security. 

6.1.5 CBCP 

The unit supports the Microsoft Callback Control Protocol (CBCP) for dial-in PPP clients that request it. In 
conjunction with the CBCP, you can configure the unit to allow the PPP client to choose a dialback 
telephone number to reverse phone charges. 

For more information, see Dialback Using CBCP on page 10-7. 

6.2 NCP 

Network Control Protocols (NCPs) govern use of a specific network protocol over the PPP link. On the unit, 
PPP uses the IP protocol. 

PPP uses the IP Control Protocol (IPCP) to negotiate the use of IP over a link. IPCP allows for dynamic 
address assignment and Van Jacobson TCP header compression. 

Note: IP over PPP is described in RFC 1332. Van Jacobson TCP compression is 
covered in RFC 1144. 

If, during the negotiation process, the unit receives a request for more IP compression slots than are 
configured on the site (using the Define Site IP Slots command), the unit will NAK (negative 
acknowledge), and request the number of slots configured on the site. 

6.3 Starting PPP 

PPP can be started in a number of ways. For a detailed discussion of the PPP startup sequence, see Starting 
PPP/Slip for Incoming Connections on page 3-8 and Using Sites for Outgoing Connections on page 3-5. 
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6.3.1 User-lnitated PPP 

If PPP is enabled for a port, you can start a PPP session from Local> mode using the Set PPP command. 
You can specify a site to connect to by appending the site name to the command. 

6.3.2 Automatic Detection of PPP 

A port may be configured to automatically detect a PPP packet and, if PPP is enabled on the port, run PPP 
when the packet is received. This eliminates the need for callers to explicitly start PPP. 

To enable this PPP autodetection feature, use the Define Ports PPPdetect command. 

Figure 6-3: Enabling Automatic Protocol Detection 

Local» DEFINE PORT 2 PPPDETECT ENABLED 



6.3.3 Dedicated PPP 

If a port is dedicated to PPP (see Preferred & Dedicated Services on page 7-8), the protocol runs 
automatically when the port is started. The autodetection setting is ignored. 

6.4 Multilink PPP 

When an incoming PPP connection requires additional bandwidth, the unit can add ports to the connection 
and combine the two or more physical streams of PPP data into one logical stream. This is called multilink 
PPP. 

Two servers are needed for multilink PPP connections, one to initiate the call and one to receive it. All 
multilink packets for a given connection must originate from the unit that brought up the link and be 
received by another single unit. The following sections explain how to configure a calling unit and a 
receiving unit for a one-way multilink connection. 

Note: Multilink PPP is described in RFC 1990. 

When a port that is enabled for mulitlink PPP receives a multilink call and more bandwidth is needed for 
the connection, the unit will add other ports, if available, to reach the necessary bandwidth. For more 
information, see Bandwidth On Demand on page 4-6. 

6.4.1 Configuring the Calling Unit 

1 Enable Multilink PPP on all ports that may be used for a multilink connection. 

Figure 6-4: Enabling Multilink PPP 

Local» DEFINE PORT 1-4 PPP MULTILINK ENABLED 



Note: Ensure that other port parameters (such as speed, parity, and flow control) are 
properly configured for the connection. 
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2 Create a site for the outgoing multilink PPP connection. 

Figure 6-5: Creating the Calling Site 



Local» DEFINE SITE irvine 



Note: All other desired site parameters should be set up, and a static route should be 
defined for the site, before the site is used for connections. 

3 Configure the ports associated with the multilink site. 

A Associate the site with two or more ports, giving each port a priority. Higher priority ports will 
be used first. 

Figure 6-6: Configuring Port Priority 



Local» DEFINE SITE irvine PORT 1 PRIORITY 1 
Local» DEFINE SITE irvine PORT 2 PRIORITY 2 
Local» DEFINE SITE irvine PORT 3 PRIORITY 3 
Local» DEFINE SITE irvine PORT 4 PRIORITY 4 



B Estimate the bandwidth of each port associated with the site. 

The estimate should be based on the fastest data transfer that the attached modem can support, 
adjusted for expected compression. 

The following example assumes a 28.8 kbps modem attached to port 2 with about a 2:1 
compression rate (28800 x 2 = 57600 bps = 5760 bytes per second, rounded to 5800 bytes per 
second). 

Figure 6-7: Estimating Port Bandwidth 



Local» DEFINE SITE irvine PORT 2 BANDWIDTH 5800 



See Estimate Each Port's Bandwidth on page 4-7 for in-depth instructions on calculating 
bandwidth amounts. 

C Specify a telephone number for each port. 

When the site is brought up, the unit will attempt a connection by dialing the telephone number 
associated with the highest priority port (in this case, 555-1001). 

Figure 6-8: Configuring Port Telephone Numbers 



Local>> 


DEFINE 


SITE 


irvine 


PORT 


1 


TELEPHONE 


555 


-1001 


Local>> 


DEFINE 


SITE 


irvine 


PORT 


2 


TELEPHONE 


555 


-1002 


Local>> 


DEFINE 


SITE 


irvine 


PORT 


3 


TELEPHONE 


555 


-1003 


Local>> 


DEFINE 


SITE 


irvine 


PORT 


4 


TELEPHONE 


555 


-1004 



4 Configure the site bandwidth parameters. 

Note: The unit will only modify bandwidth if it initiated the connection. 
A Specify the initial and maximum bandwidths. 
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The maximum bandwidth should not exceed the sum of the bandwidths for all of the ports. 
Figure 6-9: Configuring Initial and Maximum Bandwidths 

Local» DEFINE SITE irvine BANDWIDTH INITIAL 2800 
Local» DEFINE SITE irvine BANDWIDTH MAXIMUM 11500 



For more information about site bandwidth settings and how to fine-tune them, see Configuring 
Bandwidth Allocated to Sites on page 4-7. 

B Specify when to add and remove bandwidth from a connection. 

In the following example, the bandwidth should remain between 40% and 90% of the maximum 
value, 1 1500 bytes per second. The bandwidth will be measured every 60 seconds and compared 
to the add and remove values to see if an adjustment is necessary. 



Figure 6-10: Configuring Site Bandwidth Settings 



Local>> 


DEFINE 


SITE 


irvine 


BANDWIDTH 


ADD 90 




Local>> 


DEFINE 


SITE 


irvine 


BANDWIDTH 


REMOVE 


40 


Local>> 


DEFINE 


SITE 


irvine 


BANDWIDTH 


PERIOD 


60 



5 Configure site authentication. 

All of the ports raised for a multilink connection should be added to the connection and authenticated 
together. A username and remote authentication password will be needed, and CHAP and/or PAP 
authentication should be enabled. 



Figure 6-1 1 : Configuring Site Authentication 



Local>> 


DEFINE 


SITE 


irvine 


AUTHENTICATION 


USERNAME "sidney" 


Local>> 


DEFINE 


SITE 


irvine 


AUTHENTICATION 


REMOTE "kOala" 


Local>> 


DEFINE 


SITE 


irvine 


AUTHENTICATION 


CHAP ENABLED 


Local>> 


DEFINE 


SITE 


irvine 


AUTHENTICATION 


PAP ENABLED 



6.4.2 Configuring the Receiving Unit 

1 Configure the ports that will be used for the multilink connection. 
A Enable Multilink PPP on all ports that will be used. 

Figure 6-12: Enabling Multilink PPP 



Local» DEFINE PORT 1-4 PPP MULTILINK ENABLED 



B Ensure that the telephone numbers of the modems attached to the receiving ports match those 
configured in the calling site. 

C Enable PPP CHAP and/or PAP authentication on the ports. 



Figure 6-13: Enabling PPP Authentication 



Local>> 


DEFINE 


PORT 


1-4 


PPP 


CHAP REMOTE 


Local>> 


DEFINE 


PORT 


1-4 


PPP 


PAP REMOTE 
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2 Create a site to receive the multilink traffic. 

The site's name must match that of the incoming multilink user (see Figure 6-11). 

Figure 6-14: Creating the Receiving Site 



Local» DEFINE SITE "sidney" 



3 Configure site authentication. 

A local authentication password will be needed (it should match the incoming site's remote password, 
see Figure 6-11), and CHAP and/or PAP authentication should be enabled. 

Figure 6-15: Configuring Site Authentication 



Local» DEFINE SITE Sidney AUTHENTICATION LOCAL "kOala" 



Note: Use the same authentication protocol on the recieving unit as on the calling unit. 

6.5 Restoring Default PPP Settings 

To restore a port to its default PPP settings, enter the Purge Port PPP command. 

Figure 6-16: Restoring Default PPP Settings 



Local» PURGE PORT 2 PPP 



6.6 Troubleshooting 



The unit event logging feature enables you to monitor network and user activity and troubleshoot problems. 
Configure a destination for logging information using the Set/Define Logging command, described on page 
-155. 

To view PPP LCP and NCP negotiations with the remote host, use logging level 4 or 6. Level 4 logs PPP 
negotiation activity, and is adequate for most PPP troubleshooting. Level 6 logs all PPP events; this is 
generally only required to troubleshoot faulty PPP implementations. 

Figure 6-17: Enabling PPP Event Logging 



Local» DEFINE LOGGING PPP 4 
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Once a connection is made, problems may be monitored using the Show/Monitor/List Ports command. 
The following table explains the counters useful for PPP troubleshooting. 



Table 6-1 : Port Counters 


Counter(s) 


Information Displayed 


Packets Input 


Packets from the remote host to the unit. 


Packets Output 


Packets from the unit to the remote host. 


Packet-Too-Long 


Number of packets longer than the Maximum Receive Unit (MRU) 
negotiated with LCP. In most situations, this counter will be 0. To 
correct this error, the remote node should configure a smaller Maxi- 
mum Transmission Unit (MTU). 


Bad FCS (Frame Checksum) 


Number of corrupted packets. This problem may be due to line noise, 
flow control problems, and so on. This number should be less than 
1 % of the Packets Input counter; if it is not, performance is suffering 
greatly. 
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Each unit port can be configured in a number of ways. Configuration options include a port's start method, 
available sessions, services, access, serial parameters, and flow control. 

7.1 Using Port Commands 

Most port commands require you to be the privileged user. To become the privileged user, use the Set 
Privileged/Noprivileged command. This command is discussed in detail on page -69. 

Many port commands require that the Define commands be used instead of the Set commands. Set 
commands take effect immediately for the current session. Define commands do not take effect until the 
port is logged out (with the Logout Port command) or the server is rebooted. 

Note: For a more detailed explanation of the difference between Set and Define 
commands, see Set and Define on page 2-3. 

A number of Define Port commands are designed to control modems (for example, Define Port Modem 
Answer). These commands are covered in Chapter 8, Modems, and in Modem Commands on page -77. 

7.2 Setting Port Access 

A port's access may be set to one of the following: dynamic, local, remote, or none. Dynamic (the default) 
permits both local and remote logins, local permits only local logins, and remote permits only remote 
logins. None prevents all incoming and outgoing connections, rendering the port unusable. 

Before a user can Telnet to an unit port and dial out using an attached modem, the port must have dynamic 
or remote access. Before a user can log into a port locally and Telnet to a remote host, the port must have 
local or dynamic access. 

To configure access to a port, use the Set/Define Ports Access command. 

Figure 7-1 : Configuring Connection Type 

Local» DEFINE PORT 2 ACCESS LOCAL 



7.3 Starting a Port 

When the unit is booted, the ports can start up in one of two ways: they can automatically start, or wait for 
character input. Each port can be individually configured; for example, one port may wait for character input 
before starting while another may automatically start when the unit is booted. 

A port's start-up procedure may involve a combination of factors. For example, if modem control is 
enabled, the port will wait until the modem asserts the DSR signal, then it could either automatically start, 
or wait for character input before starting (depending on the port configuration). 
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7.3.1 Waiting for Character Input 

By default, each unit port will be idle until character input is received (such as a Return key pressed at the 
remote node). If automatic protocol detection is enabled (see Automatic Protocol Detection on page 7-4), 
and the the unit recognizes a PPP or SLIP character in a packet for an enabled protocol, the unit will 
automatically run that protocol. 

7.3.2 Starting Automatically 

A port can be configured to automatically start up when the unit is booted, or as soon as the unit receives a 
predetermined trigger character. The Set/Define Ports Autostart command is used to set these options. 

7.3.2.1 Enabling Autostart 

When Autostart is enabled, the port will start up and execute any configured commands or connections. (No 
user input or serial data is necessary for the port to start up; it will occur automatically.) 

To enable Autostart, use the following command. 

Figure 7-2: Enabling Autostart 

Local» DEFINE PORT 2 AUTOSTART ENABLED 



Once Autostart is enabled, the port will start up automatically without waiting for character input. The port 
will then perform any operations that it's configured to run at start-up. For example, the port may connect 
to a particular host or service, run an authentication sequence, or run a particular protocol. 

Note: To dedicate a port to a host or service, see Dedicated Protocols on page 7-9. 

If PPP is enabled on the port, the port will start when a PPP packet is received. See PPP Mode on page 7-3 
for details. If both Autostart and modem control are enabled, the port will start as soon as the DCD signal 
is raised. 

7.3.2.2 Setting an Autostart Trigger 

Autostart can also be triggered by a specific input character. As the unit does not have a default Autostart 
character, you will have to configure one. For example, when using modem emulation mode, you may want 
to use A so that Autostart will happen as soon as an AT modem command is entered. Keep in mind that 
when you configure an Autostart character, you can no longer use <CR> to get to the Local> prompt. The 
following example configures "A" as the Autostart character for the first serial port. 

Figure 7-3: Configuring an Autostart Character 

Local» DEFINE PORT 1 AUTOSTART CHARACTER "A" 



You can also specify a control character using escaped hex. For example, Ctrl-B (ASCII character 0x02) is 
"\02" in escaped hex. 
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7.4 Port Modes 

An unit port can be used in one of three modes: character mode, PPP mode, or SLIP mode. The default port 
mode is character mode.To configure a port to run PPP or SLIP, see the corresponding sections below. 

Note: Enabling PPP or SLIP on the serial console port is not recommended. 

7.4.1 Character Mode 

By default, the unit ports will start character mode when the Return or Line Feed key is pressed at startup. 
Users logging into the unit will see a Usernamo prompt followed by a Local> prompt, unit commands can 
be entered at this prompt to configure the unit, control logins, Telnet or Rlogin to remote hosts, start PPP or 
SLIP, or display information. 

Note: If the Altprompt characteristic is enabled, users will see a Login: prompt instead 
of the Usernamo prompt. See Set/Define Server Altprompt on page -102 for 
more details. 

7.4.2 PPP Mode 

A port in PPP mode runs the Point-to-Point Protocol. A port can be configured to run PPP in a number of 
ways; for example, users can be authenticated, headers can be compressed, and negotiation can take place. 
Because PPP isn't designed for user interaction (the user isn't entering unit commands), the Local> prompt 
will not be displayed. 

When PPP and PPPdetect are enabled on a port (see Automatic Protocol Detection on page 7-4), PPP will 
automatically run once a port's has started up and a PPP packet is received. Because running PPP in this 
manner bypasses a port' s usual authentication (using a login password or username/password combination), 
you should configure CHAP or PAP authentication. 

To enable a port to run PPP, use the Define Ports PPP command. 

Figure 7-4: Enabling PPP 

I Local» DEFINE PORT 2 PPP ENABLED 



Note: For more information on PPP, refer to Chapter 6, PPP. 

7.4.3 SLIP Mode 

When SLIP (Serial Line Internet Protocol) and SLIPdetect (see Automatic Protocol Detection on page 7-4) 
are enabled on a port, SLIP will run once that port's start-up procedure is complete. 

Running SLIP in this manner bypasses a port's usual authentication process (login password, etc.). As SLIP 
doesn't support authentication, no authentication will occur in this situation. To use authentication with 
SLIP, see Chapter 10, Security. 
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To enable a port to run SLIP, use the following commands. 

Figure 7-5: Enabling SLIP 

Local» DEFINE PORT 2 SLIP ENABLED 



7.5 Automatic Protocol Detection 

An unit port may be configured to automatically detect a PPP or SLIP packet and, if PPP or SLIP is enabled 
on the port, run the appropriate protocol when the packet is received. This eliminates the need for callers to 
explicitly start PPP or SLIP. 

In some situations, autodetection should be disabled. For example, SLIP doesn't support authentication. To 
authenticate users, autodetection of SLIP could be disabled; incoming callers would be presented with the 
Local> prompt and could be forced to enter the login password. Once authenticated, they could manually 
start SLIP by entering the Set SLIP command. 

Note: To configure SLIP authentication, see Chapter 10, Security. 

To enable PPP autodetection, use the Define Ports PPPdetect command. Automatic detection of SLIP is 
configured with the Set/Define Ports SLIPdetect command. 



Figure 7-6: Enabling Automatic Protocol Detection 



Local>> 


DEFINE 


PORT 


2 


PPPDETECT ENABLED 


Local>> 


DEFINE 


PORT 


3 


SLIPDETECT ENABLED 



If a port is dedicated to PPP or SLIP (see Dedicated Protocols on page 7-9), the protocol will run 
automatically when the port is started. Any authentication settings will be ignored. 

7.6 Sessions 

When you log into an unit port to connect to a network service, your connection is referred to as a session. 
A network service may be an interactive login to a TCP/IP host, a connection to a modem or another unit, 
another server, etc. Sessions describe interactive connections; PPP or SLIP connections are not referred to 
as sessions. 

Session configuration may apply only to the current session, or to all sessions run on a particular port. 
Session-specific configuration meets needs that apply only to an active session; for example, if binary files 
are being transferred, you could disable interpretation of the switch characters, XON/XOFF flow control 
characters, and message. 

Note: Only one session at a time will be displayed. 

Port-specific session configuration includes the number of sessions permitted on a port, the keys used to 
switch between sessions, and the key used to exit from a session to character mode. The commands used to 
configure these options are discussed in the following sections. 



7-4 



Ports 



Sessions 



7.6.1 Multiple Sessions 

Each port may have a number of sessions running at once. By default, each port is configured to permit up 
to 4 simultaneous sessions. The maximum number of simultaneous sessions, called the session limit, may 
be changed; up to 8 sessions may be run on each port. 

To change the session limit, use the Set/Define Ports Session Limit command. 

Figure 7-7: Changing the Session Limit 

Local» DEFINE PORT 2 SESSION LIMIT 6 



7.6.2 Switching Between Sessions 

Sessions are organized in the order that they were created. Commands or keyboard equivalents are used to 
switch back and forth between active sessions. Switching to a session with an earlier creation date is called 
switching backward; conversely, switching to a later session is called switching forward. Sessions are 
arranged in a circular list; switching forward from the last session created will switch to the first session in 
the list, and vice-versa. 

The command used to switch to the previous session is Backwards. Its keyboard equivalent is called the 
backward switch. To define a backward switch, use the following command: 

Figure 7-8: Defining Backward Switch 

Local» DEFINE PORT 2 BACKWARD SWITCH A 0 



The Forwards command is used to switch to the next session. Its keyboard equivalent, the forward switch, 
as specified as follows: 

Figure 7-9: Specifying Forward Switch 

I Local» DEFINE PORT 2 FORWARD SWITCH ~N 



The characters you define for the backward switch and forward switch should not conflict with each other 
or with characters used for editing commands (see Commands on page 2-2). In addition, the characters 
should not conflict with characters used on the host. 

7.6.3 Exiting Sessions 

The Break key is used to suspend a session. When a session is suspended or exited, the Local> prompt will 
be displayed, unit commands can be entered at this prompt to configure the unit, start a new session, or 
display information. 

7.6.3.1 Breaking from a Session 

When the Break key is pressed, the port will do one of three things: suspend the session and display the 
Local> prompt, pass the character to the remote service, or ignore it all together (pressing the key will have 
no result). 
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To configure the processing of the Break key, uses the Set/Define Ports Break command. Break can be set 
to one of the following: Local, Remote, or Disabled. 

Figure 7-10: Configuring Break Key Processing 

I Local» DEFINE PORT 3 BREAK LOCAL 



If your keyboard doesn't havea Break key, an equivalent can be specified with the Set/Define Ports Local 
Switch command. 

Figure 7-11: Specifying Local Switch 



Local» DEFINE PORT 2 LOCAL SWITCH ' 



7.6.3.2 Disconnecting Sessions 

To disconnect the current session, use the Disconnect command. To disconnect a particular session, specify 
the session number; to disconnect all sessions, use the All parameter. 

Figure 7-12: Disconnecting Sessions 



Local» DISCONNECT 

Local» DISCONNECT SESSION 2 

Local» DISC0NNEC ALL 



7.6.4 Monitoring Session Activity 

When the Verification characteristic is enabled on a particular port, messages will be issued whenever a 
session on that port is connected, disconnected, or switched. Use the following command to enable 
verification: 



Figure 7-13: Enabling Verification 



Local» DEFINE PORT 3 VERIFICATION ENABLED 



7.6.5 Setting Session Characteristics 

You can configure a sesion either at the moment you make the connection, or from within a connection once 
it is already running. 
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7.6.5.1 Configuring a Session at Connection Time 

To configure a session when a connection is made, an environment string may be specified. This string may 
be used in conjunction with the Connect command, or saved as part of a preferred or dedicated hostname. 
The environment string consists of a series of key letters, some prefaced by a plus (+) or minus (-). 



Table 7-1 : Key Letters for Environment Strings 



Letter 


Environment(s) 




D 


+D = Backspace mode 


-D = Delete mode 




+E = Local Echo mode 


-E = Remote Echo mode 


T 
1 


I = Interactive mode 




p 


+P = Passall mode 


-P = Passthru mode 


c 


+C = CR to CRLF 


-C = CR to LF 


T 


TCP mode (i.e. uninterpreted datastream) 


R 


Rlogin protocol (sets port # to 513 if not already set) 


Q 


Queued (i.e. RTEL) connection 




nnn 


Optional port number 





Note: Key letters are not case- sensitive, and white space is not permitted in 
environment strings. 

To use an environment string with the Connect command, specify the host, TCP port, or service to connect 
to, then specify the environment string prefaced by a colon. For example, to Telnet to host athena in 
Backspace and Passall mode, use the following command: 

Figure 7-14: Using Environment Strings with Connect 

Local» CONNECT TELNET athena +D+P 

To set an environment string to use with a preferred or dedicated host/service, use the following syntax: 
Figure 7-15: Using Environment Strings with Preferred/Dedicated Hosts 

Local» DEFINE PORT 2 DEDICATED RLOGIN athena: 480+E 



Note: For more information on preferred and dedicated hosts/services, see Dedicated 
Protocols on page 7-9. 

7.6.5.2 Configuring a Session Once It's Running 

The Set Session command enables users to configure a currently-running session. Areas that may be 
configured include: 

♦ The character sent as the delete character 

♦ Local echoing 



7-7 



Preferred & Dedicated Services 



Ports 



♦ unit interpretation of messages and server-specific keys 

♦ The character sent to the remote device when the Return key is pressed 

♦ unit interpretation of switch characters, messages, and flow control 
For more information, see Set Session on page -70. 

7.7 Preferred & Dedicated Services 

7.7.1 Preferred Services 

A preferred service is the default service (Telnet or Rlogin) for a particular port. If you use the Connect 
command without specifying a service, you'll be connected to the preferred service. A port can be 
configured to automatically connect to the preferred service upon login; this option is called Autoconnect. 

To specify a preferred service, use the Set/Define Ports Preferred command. 

Figure 7-16: Specifying a Preferred Service 

| Local» DEFINE PORT 2 PREFERRED smc_modem 

The preferred service will be used with the Connect command whenever a service isn't specified. 

To automatically connect to the preferred service upon login to the port, the Autoconnect characteristic must 
be enabled. You can enable autoconnect using the following command: 

Figure 7-17: Enabling Autoconnect 

| Local» DEFINE PORT 3 AUTOCONNECT ENABLED 

7.7.2 Dedicated Services 

A dedicated service is a service to which a port will always connect. When a port is associated with a 
dedicated service (referred to as "dedicating a port"), the port cannot be used to connect to any other service. 
A connection to the dedicated service will automatically be started upon login to the port; when you log out 
of the service, you will also be logged out of the unit. 

To specify a dedicated service, use the Define Ports Dedicated command. 

Figure 7-18: Specifying a Dedicated Service 

Local» DEFINE PORT 2 DEDICATED smc_modem 

The dedicated service will be connected upon login to the port. When the user logs out of the service (or if 
the service cannot be reached for some reason), the user will be logged out of the unit. 
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7.8 Dedicated Protocols 

A dedicated protocol is a protocol (PPP or SLIP) that will automatically run when a port is started. No other 
protocol can be run on the port; it will continue to run PPP or SLIP until it is logged out. 

To dedicate a port to PPP or SLIP, use the following command: 



Figure 7-19: Dedicating a Port to PPP/SLIP 



Local>> 


DEFINE 


PORT 


2 


PPP DEDICATED 


Local>> 


DEFINE 


PORT 


3 


SLIP DEDICATED 



When a port is dedicated, the local prompt cannot be accessed, therefore, commands can't be entered to 
disable the Dedicated characteristic. Take caution when dedicating ports; if you're going to dedicate all unit 
ports, be sure that you have another way to log into the server (such as a Telnet login). 

Note: If you cannot log into the unit, you'll need to restore the server to its factory 
default settings. See Initialize Server on page -101. 

7.9 Port Restrictions 

Ports may be restricted in a number of ways. These methods include locking a port, username/password 
protection, restriction of connection type, automatic logouts, control of session interruption, restriction of 
commands, and receipt of broadcast messages. 

7.9.1 Locking a Port 

The Lock command may be used to secure a port without disconnecting sessions. When you enter Lock, 
you will be prompted to enter a password. The port will then be locked until that same password is used to 
unlock it. Figure 7-20 displays an example. 

Figure 7-20: Locking and Unlocking a Port 

Local> LOCK 

Password> donut (not echoed) 
Verif ication> donut (not echoed) 
Unlock password> donut (not echoed) 
Local> 



Note: Secure ports ( set using the Set/Define Ports Security command) cannot be 
locked. 

To unlock a port withou the Lock password, a privileged user must use the Unlock Port command or log 
out the port using the Logout command. Logout will disconnect all sessions. 

Note: Unlock Port is discussed on page -75. Logout is discussed on page -35. 

The Set/Define Server Lock command controls whether or not local users are permitted to lock ports. For 
information on this command, see Set/Define Server Lock on page -106. 
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7.9.2 Enabling Signal Check 

The Signal Check characteristic can be used to prevent remote connections to a port unless DSR is asserted. 
This is often used to prevent Telnet logins to a port until the device attached to the port (for example, a 
terminal) asserts the DSR signal, indicating that it is connected and powered on. 

To enable Signal Check, use the following command: 

Figure 7-21 : Enabling Signal Check 

Local» DEFINE PORT 3 SIGNAL CHECK ENABLED 



7.9.3 Username/Password Protection 

You can configure a port to require either a login password or a username/password pair before a login is 
permitted. 

Note: For detailed information on authentication, refer to Chapter 10, Security. 

7.9.3.1 Login Password 

The Set/Define Ports Password command controls whether or not the login password is required to log 
into the specified port. To require the password, use the following command: 

Figure 7-22: Requiring the Login Password 

Local» DEFINE PORT 2 PASSWORD ENABLED 



By default, incoming Telnet and Rlogin connections are not required to enter a login password. To require 
the login password for those connections, use the Set/Define Server Incoming command (discussed on 
page -105). The login password is defined with the Set/Define Server Login Password command 
(discussed on page -106). 

Note: Set/Define Server Incoming can also be used to require passwords for virtual 
port logins. 

7.9.3.2 Username/Password Authentication 

The Set/Define Ports Authenticate command is used to authenticate individual users. When this command 
is enabled, incoming logins will be prompted for a username/password pair. The username and password 
entered will be compared to authentication databases configured with the Set/Define Authentication 
command. If a match is found, the login will be permitted; otherwise, the login attempt will fail. 

Figure 7-23: Set/Define Port Authentication Commands 

Local» DEFINE PORT 3 AUTHENTICATE ENABLED 



Note: Set/Define Authentication is described in Chapter 10, Security. 
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7.9.4 Automatic Logouts 

When a device connected to the unit is disconnected or powered off, the DSR signal is dropped. The unit 
can be configured to automatically log out a port when this occurs to prevent users from accessing other 
sessions by physically swapping terminal cables and using someone else's privileges. Ports can also be 
configured to automatically log out when they've been inactive for a specified period of time. 

7.9.4.1 DSR Logouts 

To configure a port to log out when the DSR signal is dropped, use the Set/Define Ports DSRLogout 
command. 

Figure 7-24: Enabling DSRLogout 

Local» DEFINE PORT ALL DSRLOGOUT ENABLED 



7.9.4.2 Inactivity Logouts 

To configure a port to log out after a specified period of inactivity, use the Set/Define Ports Inactivity 
Logout command. This command works in conjunction with the Set/Define Server Inactivity command. 
The latter defines a particular number of minutes; after this period of time, a port with Inactivity Logoug 
enabled will be considered inactive and automatically logged out. 

Note: Set/Define Server Inactivity is described on page -104. 

To enable Inactivity Logout, use the following command: 

Figure 7-25: Enabling Inactivity Logout 

Local» DEFINE PORT 3 INACTIVITY LOGOUT ENABLED 



The unit will only perform an inactivity logout when the port is in character mode (not running PPP or 
SLIP). To configure idle time logouts for PPP and SLIP connections, you must configure an idle time for 
the site; after the site is idle for the specified time, the link will be shut down. Use the Define Site Idle 
command and specify the length of the idle time limit in seconds. 

Figure 7-26: Enabling Idle time Logouts for PPP/SLIP 

Local» DEFINE SITE irvine IDLE 60 



7.9.5 Restricting Commands 

The Security characteristic may be used to limit a user's access to information about other ports. When 
Security is enabled, only a limited number of commands may be typed at the Local> prompt. A user on a 
secure port are unable to get information about other ports using the Show/List commands and can not 
perform commands which require privileged access. 

To enable Security on a particular port, use the Set/Define Ports Security command. 

Figure 7-27: Enabling Security 

Local» DEFINE PORT 3 SECURITY ENABLED 
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7.9.6 Receipt of Broadcast Messages 

The Set/Define Ports Broadcast command enables or disables a port's receipt of broadcast messages from 
other users, including the superuser. Figure 7-28 displays an example. 

Figure 7-28: Enabling Broadcast Messages 

I Local» DEFINE PORT 3 BROADCAST ENABLED 



7.9.7 Dialback 

The Dialback feature allows a system manager to set up a dialback list of authorized users for incoming 
modem connections. When a username matching one in the list is entered, the port is logged out and the 
phone number will be sent out the serial port using the port's modem profile. 

For a complete description of dialback, see Dialback on page 10-5. 

7.9.8 Menu Mode 

The Set/Define Ports Menu command controls whether the Local> prompt or a menu will be displayed 
upon login. To enable menu mode, use the following command: 

Figure 7-29: Enabling Menu Mode 

I Local» DEFINE PORT 3 MENU ENABLED 



When Menu mode is enabled, the Local> prompt cannot be accessed. Be sure that you have another way to 
log into the unit before enabling Menu mode on all ports. 

Note: For a complete discussion of menu mode, see Menu Mode on page 10-20. 

7.10 Serial Port Configuration 

There are a number of configurations that apply specifically to serial transmission. These configurations are 
a port's parity, baud rate, and bits per character. The bits per character is set using the Set/Define Ports 
Character Size command, described on page -46. Set/Define Ports Parity (discussed on page -55) sets a 
port's parity, and Set/Define Ports Speed (discussed on page -64) sets the baud rate. 

Note: Use of these commands is relatively straightforward. Please refer to the 
designated page references for the appropriate syntax. 

The Autobaud characteristic enables a port to detect an incoming baud rate, character size, and parity and 
configure its characteristics to match. This characteristic cannot be enabled if Access is set to Remote or 
Dynamic {Setting Port Access on page 7-1) or if the specified port offers a service. To enable Autobaud, use 
the Set/Define Ports Autobaud command, discussed on page -40. 

The following sections discuss other configuration settings. 
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7.10.1 Naming a Port 

To assign a particular name to a port, use the Set/Define Ports Name command. 

Figure 7-30: Assigning a Port Name 

Local» DEFINE PORT 3 PORT NAME "highspeed_modem" 

The default name for each port is Port_n, where n denotes the port number (for example, Port_2). 

7.10.2 Specifying a Username 

A username can be specified for a port using the Set/Define Ports Username command. When the 
username is specified with the Define Port Username command, users will not be prompted for a username 
upon login. Figure 7-3 1 displays an example. 

Figure 7-31 : Specifying a Username 

Local» DEFINE PORT 3 USERNAME fred 

7.10.3 Notification of Character Loss 

When the Loss Notification characteristic is enabled, a bell character (Ctrl-G) will be sent when data error 
or overrun causes the loss of a character. Figure 7-32 displays an example. 

Figure 7-32: Enabling Loss Notification 

| Local» DEFINE PORT 2 LOSS NOTIFICATION ENABLED 

7.10.4 Padding Return Characters 

By default, the unit will pad Carriage Returns entered in Telnet sessions with null characters. To disable this 
characteristic, use the Set/Define Ports Telnet Pad command. 

Figure 7-33: Disabling Telnet Pad 

Local» DEFINE PORT 3 TELNET PAD DISABLED 

7.10.5 Setting the Device Type 

The Type characteristic is used to specify the device types compatible with the port. Type must be one of 
the following device types: ANSI, Hardcopy, or Softcopy. To set a Type, use the following command: 

Figure 7-34: Configuring the Device Type 

| Local» DEFINE PORT 3 TYPE ANSI 

Note : For more information about Type options, refer to Set/Define Ports Type on page 
-67 
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7.10.6 Specifying a Terminal Type 

A terminal type, to be sent to the remote host for Telnet and Rlogin sessions, can be specified for a port 
using the Set/Define Ports Termtype command. The terminal type should be entered as a striing, for 
example, VT100. 

Figure 7-35: Specifying a Terminal Type 

Local» DEFINE PORT ALL TERMTYPE IBM1000 



Note: By default, no specific terminal type is specified. 

Termtype information is used for outbound sessions; the unit doesn't use this information. For example, a 
remote host might use the terminal type to configure your terminal to run a particular application. 

7.10.7 Serial Data 

Once a connection has been started, several different triggers can be used to transmit all accumulated serial 
data to the host. These options are controlled with the Set/Define Port Datasend command. The datasend 
process used by the unit balances network traffic with latency concerns. 

One kind of trigger can be set by specifying a "timeout" condition of either the time since the last character 
was received or the time since the current character burst was started. For example, to trigger data 
transmission 150 milliseconds after the current character burst began, enter the following command: 

Figure 7-36: Transmitting Serial Data with Trigger Delay 

Local» DEFINE PORT 2 DATASEND DELAY FRAME 150 



The example in Figure 7-36 can be visualized as: 

xxx xxx xx (data) x x xx xxxxxxxx xx xxxx xx xxxx 

150 milliseconds transmit packet 

Another option is to set a one- or two-character trigger that will cause the unit to transmit the data. You can 
also specify whether the trigger characters will be sent to the host as part of the serial data or whether they 
should be discarded (the default). For example, the following commands will cause the accumulated serial 
data to transmit as soon as the "Z" character is detected in the data stream and to send the matched character 
("Z") to the host as part of that data. 

Figure 7-37: Transmitting Serial Data with a Character Trigger 

Local» DEFINE PORT 2 DATASEND CHARACTER Z 
Local» DEFINE PORT 2 DATASEND SAVE 1 



The example in Figure 7-37 can be visualized as: 

xxx xxx xx (data) x x xx xxxxxxxx xx xxx Z xx xxxx 

transmit packet 

For more information on the Set/Define Port Datasend command, see the Reference Manual. 
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7.11 Flow Control 

Flow control enables two connected devices to control the amount of data transmitted between them. When 
flow control is enabled on an unit port and a connected device such as a modem, flow control ensures that 
data sent from the sending device does not overflow the receiving device's buffers. Consider the following 
example. 

An unit port is connected to a modem. The unit port transfers data to the modem at 1 15,200 bits per second, 
but the modem can only send data over the phone line at 15,000-30,000 bits per second. In a short period of 
time, the modem's buffer fills with data. The modem sends a signal to the unit to stop sending data, and the 
unit does not send data until it receives a signal from the modem that it can receive data again. 

The unit supports hardware and software flow control. The hardware flow control option is RTS/CTS and 
the option for software flow control is XON/XOFF. Both flow control methods are described below. 

Note: When the unit is communicating with a device, the unit and the device must agree 
on the type of flow control used. 

7.1 1 .1 Hardware Flow Control 

When hardware flow control is used, the flow of data is controlled by two serial port signals (typically RTS 
and CTS). Two connected devices will assert and deassert RTS and CTS to indicate when they are ready 
to accept data. 

For example, the unit will assert RTS when it is ready to accept data. When it can no longer accept data (its 
buffers are full) it will deassert this signal. A connected modem will monitor the assertion and deassertion 
of this signal; it will only send data when RTS is asserted. 

A modem will assert CTS when it is ready to accept data. When its buffers are full, it will deassert CTS to 
indicate to the unit that it should stop sending data. The unit will only send data when CTS is asserted. 

RTS/CTS is the most reliable method of flow control and is the recommended method for the unit. In the 
event that RTS/CTS flow control cannot be used, XON/XOFF flow control is recommended. 

7.1 1 .2 Software Flow Control 

XON/XOFF controls the flow of data by sending particular characters through the data stream. The 
characters sent to signify the ability or inability to accept data are Ctrl-Q (XON) and Ctrl-S (XOFF). 

Applications that use the Ctrl-Q and Ctrl-S characters (such as certain text editors) will conflict with XON/ 
XOFF flow control. If a user enters a Ctrl-Q or Ctrl-S, these characters won't be transmitted; they'll be 
interpreted as flow control characters and removed from the data stream. 

Protocols that require an 8-bit clean data path cannot use XON/XOFF flow control. Data passes through an 
8-bit clean data path unchanged. SLIP and UUCP require an 8-bit clean data path; PPP may have the same 
requirements if the Asynchronous Character Control Map (ACCM) isn't set properly. To configre the 
ACCM, see Chapter 6, PPP. 
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7.1 1 .3 Setting Up Flow Control 

To use flow control on an unit port, complete the following steps. 

1 Set Appropriate Line/Serial Speeds 

Consider the line speed and the serial speed of the modem; if data is being compressed, the serial 
speed should be higher than the line speed. If you're connecting a terminal to the port, ensure that the 
speed of the terminal matches the port speed. 

Note: See Chapter 8, Modems, for a discussion of line speeds, serial speeds, and data 
compression. See your modem's documentation for information on configuring 
the modem 's line and serial speeds. 

2 Disable Autobaud 

In order to ensure that the set speeds are always used, disable any automatic speed selection or 
autobaud options on your modem. 

In addition, disable autobaud on the unit port you're configuring. To do this, use the Set/Define Ports 
Autobaud command. This command requires that you be a privileged user. 

Figure 7-38: Disabling Autobaud 

Local» DEFINE PORT 2 AUTOBAUD DISABLED 



Note: If you aren't currently a privileged user, use the Set Privileged command. 

3 Determine the Appropriate Flow Control Method 

Refer to Flow Control on page 7-15 for a description of the different methods. Choose the method 
that's most compatible with the modem and applications you'll be using. 

4 Configure Flow Control 

To configure your modem, refer to the modem' s documentation. To configure flow control on the 
unit, use the Set/Define Ports Flow Control command. Figure 7-39 displays an example. 

Figure 7-39: Configuring RTS/CTS Flow Control 

Local» DEFINE PORT 2 FLOW CONTROL CTS 



Note : For this command 's complete syntax, see Set/Define Ports Flow Control on page 
-50. 

7.12 Serial Signals 

Two of the modem signals (DSR and DCD) can be used to control when the unit ports are active. By 
monitoring when these signals are asserted or deasserted (dropped), unit ports can be logged out or kep from 
starting. The unit uses DTR to control attached devices. 
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All DB24 and RJ45 signals are displayed in the following figures. 



Figure 7-40: DB25 Serial Signals 
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Figure 7-41 : RJ45 Serial Signals 
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7.1 2.1 DSR (Data Set Ready) 

7.1 2.1 .1 DSR for Automatic Logouts 

An port can be configured to automatically log itself out when DSR is no longer asserted; in other 
words, the port will log out when the modem is disconnected. This can help ensure port security; users will 
be prevented from unplugging terminal lines and using sessions that are still active. See Automatic Logouts 
on page 7-11 for more information. 
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7.1 2.1 .2 DSR for Controlling Remote Logins 

The DSR signal can also be used to determine whether or not a remote login to a port will be permitted. 
When enabled, the Signal Check characteristic will require the assertion of the DSR signal before a remote 
login is permitted on a particular port. 

Signal check is generally enabled for use with printers; if the printer doesn't assert the DSR signal, it's 
assumed to be disconnected or powered off. In this case, the remote login isn't permitted, and print jobs are 
not sent from the unit to the printer. 

To enable Signal Check, use the following command: 

Figure 7-42: Enabling Signal Check 

I Local» DEFINE PORT 3 SIGNAL CHECK ENABLED 



7.1 2.2 DCD (Data Carrier Detect) 

The DCD signal is asserted by the local modem when it detects a connection from a remote modem. If 
you're using a DB25 port, no wiring is required in order to use the DCD signal. 

RJ45 ports have one pin that can be used for either DSR or DCD. If you are using modems, this pin must 
be wired to the modem's DCD pin. If you are using another type of device (such as a terminal or printer), 
this pin should be wired to the device's DSR pin. Refer to the Pinouts appendix of your Installation Guide 
for instructions. 

7.12.3 DTR (Data Terminal Ready) 

The unit asserts DTR when it is ready to accept incoming data or connections. It also uses DTR to cycle the 
modem when modem control is enabled by temporarily dropping the signal. 

unit ports can be configured to assert DTR only when a user logs into the port by enabling the DTRWait 
characteristic. See Set/Define Ports DTRWait on page -50 for details. 

7.13 Restoring Default Port Settings 

To restore all ports to their default settings, use the Purge Port command. Use caution with this command; 
any changes that you've made with the Set and Define commands will be erased. 

Figure 7-43: Restoring Default Port Settings 

Local» PURGE PORT 2 



If the Purge Port command cannot be used (for example, if authentication has been defined on all ports), the 
settings can only be restored by using the Boot Configuration Program. See your Installation Guide for 
details. 
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7.14 Virtual Ports 

Incoming Telnet and Rlogin connections are not associated with a physical port. Instead, they are associated 
with a virtual port which serves for the duration of the connection. Virtual port connections can be made 
only if incoming connections are enabled on the unit. 

Figure 7-44: Enabling Incoming Connections 

Local» DEFINE SERVER INCOMING TELNET 



Note: An incoming login password can also be configured with the Set/Define Server 
Incoming command, which is discussed on page -105. 

Each virtual port is created with a default set of characteristics. The Set Port commands can be used by the 
user to customize a virtual port during the Telnet/Rlogin session, but these customizations cannot be saved. 

To make configurations that apply to all virtual ports (all future Telnet/Rlogin connections), use Define Port 
commands, specifying port 0 as the port number. When the command in Figure 7-45 is used, all future 
network logins will be required to enter a username and password. 

Figure 7-45: Configuring Virtual Ports 

I Local» DEFINE PORT 0 AUTHENTICATION ENABLED 



Note: Port 0 can only be configured using Define, not Set, commands. 

Define Port 0 commands are often used to provide local switches to network logins, as they typically do not 
have a Break key to use after the connection is made. NCP and Telnet remote console sessions are 
considered virtual logins; configurations made with the Define Port 0 commands will apply to thse 
connections. 

To display the characteristics used for virtual ports, enter the following command: 

Figure 7-46: Displaying Virtual Port Characteristics 

I Local» LIST PORT 0 



7.14.1 Remote Console Port 

The remote console port is a virtual port, designated as port 7000. This port is typically used when there 
isn't another way to telnet to the unit (for example, if Telnet logins are disabled), or when a consistent 
prompt is required. To Telnet to this port, use the Telnet command, specifying the unit IP address and 7000 
as the port number. 

Note: For more information on the remote console port, see Remote Console Sessions 
on page 5-11. 

The unit will display the remote console port prompt (#). The login password must be entered at this prompt 
to successfully log into the port. The default login password is access. To change this password, see Set/ 
Define Server Login Password on page -106. 
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This chapter discusses how to configure your modem and the unit to work together. 

Communication devices (modems, printers, servers, etc.) are divided into two types: DTE (Data Terminal 
Equipment) and DCE (Data Communications Equipment). DTE and DCE are designed to work together, 
much as a male connector works with a female connector. 

The unit is a DTE device. Modems are DCE devices. This means that they use opposite signals; the unit 
uses a particular signal to send data, and the modem uses that same signal to receive data. 

Some devices that the unit will connect to (such as printers) are DTE devices. Transmitting data between 
two DTE devices requires the use of a null modem cable to swap the signals; for complete wiring 
instructions, refer to the Pinouts appendix of your Installation Guide. 

8.1 Modem Speeds 

The modem's serial speed, measured in bits per second (bps), is the rate at which the modem sends data to 
a host computer or other device (such as the unit) over its serial port. The modem' s line speed, also 
measured in bits per second, is the rate at which the modem sends data through a telephone line to another 
modem or communications server. Although the two are related, they are not the same thing. 

8.1.1 Serial Speed 

The modem and the unit must agree on the serial speed used for the connection to avoid corrupted data. 
However, the unit may speak to a remote modem at a different speed due to error correction and flow control 
techniques used for the connection. In general, the serial speed should be set higher than the line speed, and 
higher still if compression is used. 

Commonly used serial speeds include 1200, 2400, 9600, 19200, 38400, 57600, and 115200 bps. The unit's 
default serial speed is 9600 bps, but can be changed with the Set/Define Ports Speed command. When a 
modem profile is defined, the unit will automatically select the highest possible serial speed. 

Note: See your modem's documentation for more information about supported serial 
speeds and configuration options. 

8.1.2 Line Speed 

Common line speeds include 9600, 14400, 28800, and 33600 bps. 9600 and 14400 are sometimes referred 
to by the names of the modem standards that define them (v.32 and v.32bis, respectively). 

Notice that the faster line speeds do not have corresponding serial speeds. If there is not matching serial 
speed, the next highest serial speed should be used because faster serial speeds make the most efficient use 
of the given line speed. For example, a v.32bis modem (14400 bps) should use at least a 19200 bps serial 
speed. 

To configure the proper serial and line speeds for a connection, see the Examples section on page 8-13. 
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Note: Flow control must be used when the line speed and serial speed do not match. 
For more information onflow control setup, see Flow Control on page 7-15. 

8.2 Modem Profiles 

The unit interacts with a modem by sending commands to and expecting responses from the modem. This 
communication consists of strings or of simple commands to enable or disable modem features. 

In order to communicate properly with a particular modem (this varies from modem to modem), the unit 
consults a list of appropriate commands and responses for that modem. This compilation is called a modem 
profile. 

8.2.1 Using a Profile 

Preconfigured profiles are available for a number of modem types. Each profile contains all settings 
necessary to appropriately configure that type of modem. To display the list of profiles, use the Show 
Modem command. If your modem is listed, copy it to the port using the Define Ports Modem Type 
command. 

Figure 8-1: Associating Modem Profile With a Port 

Local» DEFINE PORT 3 MODEM TYPE 5 



All configurations in the modem profile will be applied to the specified port. The port's flow control will 
be changed to RTS/CTS, Autobaud will be disabled if its enabled, and the port's serial rate will be changed 
to the highest rate the modem can support. 

If your modem isn't in the list of profiles, use a modem profile for a modem that is similar to your modem 
type (for example, a modem from the same manufacturer). If there isn't a similar modem listed, use the 
Generic profile. 

Note: Be sure to verify the provisions mentioned Security on page 10-1. 

New modem profiles will be added to the lists as they become available from users and our engineering 
staff. If your modem isn't included in the list of profiles, contact SMC to see if it will be added in a later 
version of the software. 

Note: If you configure a modem profile that is not available on the list, please mail it 
to techsupport@smc.com. 

To view the modem profile, or verify that changes have been successfully made to the profile, use the List 
Port Modem command. 

Figure 8-2: Verifying Modem Configuration 

Local» LIST PORT 3 MODEM 
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8.2.2 Editing a Profile 

If a profile isn't available for your modem, editing a profile for a similar modem (e.g. one from the same 
manufacturer) is recommended. However, if a similar modem profile isn't available, you can edit a 
preconfigured "generic" modem profile. This is explained in detail in Profile Settings on page 8-4. 

Note: Very few modems can use all commands in the generic modem profile. The 
generic profile is only meant as a starting point. 

Profiles can also be edited to "fine-tune" your modem's performance. For example, dialing performance can 
be increased by adjusting the DMTF (touch tone) duration and spacing. To edit a modem profile, complete 
the following steps. 

8.2.2.1 Examine the Profile 

Display the modem profile by entering the List Port Modem command. 

Figure 8-3: Displaying Modem Configuration 

I Local» LIST PORT 3 MODEM 



A series of settings will be displayed. For example, the Attention string may be currently set to at, and Error 
Correction may be enabled. Read through the configuration options discussed in Typical Modem 
Configuration on page 8-13 and determine which options you'll need to enable or disable to meet your 
needs. Consult your modem's documentation for the appropriate strings. 

8.2.2.2 Edit the Init String 

The Init string configures your modem at initialization. This string should do the following: 



Table 8-1: Commands in Initialization String 



Command Should 


Example String 


Set the modem to factory defaults. 


& 


Set the modem to ignore any character that may force it to 
return to command mode (for example, +++). 


s2=128 


Set carrier detect (DCD) to "follow carrier." 


&cl 


Set the modem to hang up phone and return to command mode 
when the DTR signal is dropped. 


&d2 


Set the modem to use hardware flow control 


&k3 


Set the modem to determine its serial speed from the Attention 
command (rather than using a constant serial speed). 


s20=0 


Set the modem to return as many resulte codes as possible 
(known as "all progress"). Result codes will be returned in text 
rather than numbers. 


wl 


If desired, set the modem to pass Caller-ID information to the 
unit. 


%ccid=l 
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Note: The example strings given in Table 8-1 are not for all modems: consult your 
documentation for appropriate commands. 

If the Init string in your profile needs to be edited, use the Define Ports Modem Init command. The 
following example uses the example strings from Table 8-1. 

Figure 8-4: Sending Initialization String 

| Local» DEFINE PORT 3 MODEM INIT "&f s2=128&cl&d2&k3s20=0wl" 

Often, initialization commands are sent individually, prefaced by the modem's Command Prefix string 
(commonly "at"). In order for the unit to correctly send the information to your modem, all commands must 
be sent in one string. Do not include the Command Prefix string in the init string. 

Note: DSR should always be on. 

8.2.2.3 Edit Other Settings 

All settings in a modem profile can be edited with the Define Ports Modem commands. For example, to 
configure the Dial string, use the Define Ports Modem Dial command. 

Figure 8-5: Configuring a String 



Local» DEFINE PORT 3 MODEM DIAL "DT" 



8.2.2.4 Enable Modem Control 

Before a port can control a modem, modem control must be enabled. Use the following command. 

Figure 8-6: Enabling Modem Control 

I Local» DEFINE PORT 3 MODEM CONTROL ENABLED 



8.2.2.5 Initialize the Modem 

Log out the port to which the modem is connected. The modem will be initialized, incorporating any 
changes that you've made to the modem's profile. 

Figure 8-7: Initializing the Modem 

I Local» LOGOUT PORT 2 



8.2.3 Profile Settings 

These settings can be configured with the Define Port Modem commands. 

Answer Enabled/Disabled 

This setting configures whether or not the modem will automatically answer the telephone line. 

Answer Command string 

This string causes the modem to answer upon ring or to never answer. It is directly preceded by 
the Commandprefix string and is commonly set to "A." 
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Attention string 

The attention string is sent to the modem each time the port is logged out or when the server 
first boots. The modem must return the OK string. Otherwise, it is assumed that the modem is 
disconnected or unavailable. The string is commonly set to "at." 

Busy string 

The modem should respond with this string if the remote telephone line is busy. It is commonly 
set to "BUSY." 

Carrier wait string 

This setting determines the amount of time (in seconds) that the modem will wait for a carrier. 
If a carrier isn't received within this period of time, the call will fail. By default, Carrierwait is 
set to 60 seconds. 

Commandprefix string 

This string is placed before all commands sent to the modem except for the Attention string. In 
the unlikely event that your modem doesn't use a common command prefix for all commands, 
this string should be left blank; include the appropriate command prefix in every string sent to 
the modem. It is commonly set to "at." 

Compression Enabled/Disabled 

This setting enables or disables the modem's data compression. 

Note: See Compression on page 8-8 for a complete description of compression. 

Compression Command disablestring enablestring 

These strings cause the modem to compress data or to let data pass uncompressed. Note that 
compression often causes higher latency on a line in return for higher throughput. 

Connected string 

The modem must respond with this string after it connects with a remote modem. The modem 
may respond with other strings as well, but they will be ignored. It is commonly set to 
"CONNECT." 

Dial string 

This string is sent after the Command Prefix but before the telephone number to be dialed. 
Commonly, touch tone dialing is activated with "dt" and pulse dialing is activated with "dp." 

Error string 

The modem should respond with this string when it detects an error. It is commonly set to 
"ERROR." 

Errorcorrection Enabled/Disabled 

This setting enables or disables the modem's error detection and error correction. 

See Error Correction on page 8-10 for a complete description of error correction. 

Errorcorrection Command disablestring enablestring 

These strings cause the modem to use error correction or to let data pass uncorrected. Note that 
correction often causes higher latency on a line in return for data integrity. 



8-5 



Modem Profiles 



Modems 



Getsetup string 

This string displays the modem's current configuration. The unit uses this information to 
determine if the modem's configuration has changed. It is commonly set to "&v." 

When most modems receive the Get Setup string, they'll return one page that lists their 
configuration. The unit will not function properly if more than one page of configuration 
information is sent (prompting the user to press a key to continue to the next page); if your 
modem is configured in this manner, the Get Setup string will need to be set to "". When Get 
Setup is set to "", the modem will not be queried for its configuration; instead, the unit will write 
the modem' s NVR each time the unit is booted. 

Note: The AT&T Paradyne Comsphere and AT&T Dataport pose this problem. 

Use caution when configuring Get Setup in this manner. A modem' s NVR can only be written 
a particular number of times; if the unit is rebooted too often, setting Get Setup to " " could wear 
out the modem's NVR. 

Init string 

The initialization (Init) string must be configured in a specific manner in order for your modem 
to work with the unit. See Editing a Profile on page 8-3 for instructions. 

Nocarrier string 

The modem should respond with this string if the remote modem doesn't present a carrier. It is 
commonly set to "NO CARRIER." 

Nodialtone string 

The modem should respond with this string if no dial tone is present and the modem cannot dial. 
It is commonly set to "NO DIAL." 

OK string 

The modem must respond with this string after receiving the Attention string. It is commonly 
set to "OK." 

Reset string 

This string resets the modem and reloads its setup from nonvolatile memory (NVR). It is 
commonly set to "Z." 

Ring string 

The unit will expect this string when the modem is ringing. If set to "", any characters from an 
idle modem will be interpreted as a ring. It is commonly set to "RING." 

Save string 

When the modem receives the Save string, it will save its configuration to nonvolatile memory 
(NVR). It is commonly set to "&w." 

Speaker Enabled/Disabled 

This setting enables or disables the modem's speaker. 

Speaker Command disablestring enablestring 

These strings turn the modem' s speaker on or off. The speaker on switch may also set the 
speaker volume. It is commonly set to "mil 1" and "mO." 
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Statistics string 

This string is sent to the modem after each call to gather statistics on that call. The resulting 
information from the modem is sent to the server's logging system for later analysis. 

8.2.4 Profiles for Modems with External Switches 

Some modems, such as USRobotics Sportster and Courier, have external switches that control the modem's 
behavior. Modems that have external switches but do not have predefined modem profiles on the unit should 
be set not to autoanswer. The unit answers the phone; the modem should never pick up the phone on its own. 

Sometimes the switch settings can be overridden by command strings, but sometimes they cannot. If your 
modem has switches, the unit will tell you how to set the switches when you define the modem profile, as 
seen in Figure 8-8. 

Figure 8-8: Enabling Modem Compression 

Local» DEFINE PORT 3 MODEM TYPE 30 
%Info: Switch settings 1-8: UUDU DUUD 
%Info: Port speed changed to 115200. 
%Info: Port flow control changed to CTS . 



In the example, "U" stands for up and "D" stands for down. Duplicate these settings on your modem, then 
power cycle the modem before logging out of the port or rebooting the unit. 

8.3 Modems and the Unit 

8.3.1 Initialization 

When the unit is booted, the DTR signal will be held low so that the modem will reset and will not answer 
incoming calls. All unit ports with Modem Control enabled will be checked to see if a modem is connected 
and powered up. To determine this, the unit will send the Attention string to the modem and wait for the OK 
string to be sent in response. 

The modem will then be asked for its current configuration. The Init string will be sent followed by a request 
for the modem's configuration. If the current modem profile on that port does not match the configuration 
sent from the modem, it will be assumed that the modem's setup has changed. The Save string will be sent, 
and the setup contained in the profile will be saved in the modem's permanent memory (NVR). 

Note: The NVR on some modems will wear out with repeated use. This limitation is 
avoided by only writing the setup to the modem if it has changed. 

The unit will raise DTR so that the modem will answer incoming calls. The port then waits to start an 
outgoing call and waits to receive the Ring string from the modem to start an incoming call. 
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8.3.2 Outgoing Calls 

On outgoing calls, the unit will send the Attention string until the modem responds with the OK string (up 
to three times). If the modem does not send the OK string, the attempt will fail and the modem will be reset. 
If the OK string is received, the unit will send the Command Prefix, the Dial String, and the telephone 
number to the modem. 

Note: To set the telephone number, refer to Assign a Telephone Number to the Port or 
Site on page 3-15. 

If the modem responds with the Connect String, the call will succeed. If the modem responds with the No 
Carrier, Error, No Dial Tone, or Busy strings, or if no response is received in 60 seconds, the call will fail 
and the modem will be reset (60 seconds is the default wait period; this can be configured using the Define 
Ports Modem Carrierwait command). 

Note: Define Ports Modem Carrierwait is discussed on page - 79. 

8.3.3 Incoming Calls 

The unit will detect an incoming call when a port receives the Ring string. The port will then be in a 
"ringing" state; outgoing calls cannot be made from this port during this period. The unit will send the 
Command string followed by the Answer string forcing the modem to answer the call. 

When a modem asserts the DCD signal, the incoming call will be permitted. If more than 60 seconds pass 
between ring signals or before the assertion of DCD, the unit will assume that the caller hung up or that the 
connection attempt failed. Sixty seconds is the default wait period; this can be configured using the Define 
Ports Modem Carrierwait command. The port will then be available for outgoing calls. 

8.3.4 When a Port is Logged Out 

Each time a port is logged out (for example, when a user hangs up), the unit will send the Attention string 
to the modem. The OK string is expected in return. When this string is received, the unit will send the 
Command Prefix string and the Reset string. 

When the modem receives the Reset string, it will read its configuration from NVR. Any temporary 
configuration, such as changes made by an outbound modem user, will be cleared at this point. 

Note: If a user made changes during an outbound call and saved them to the modem 's 
NVR, the modem will be returned to that changed state. 

8.3.5 Compression 

The compression setting in a modem profile enables or disables data compression in the modem. 

Data compression enables a modem to transfer a larger amount of data in the same amount of time. When 
compression is used, uncompressed data arrives on the modem's serial port and the modem compresses the 
data before sending it over the phone line. The advantage of compression is increased throughput. For 
example, a modem might compress data to 1/2 its original size, doubling the modem's throughput; twice 
the data could be sent in the same amount of time required to send uncompressed data. 
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The disadvantage of compression is increased latency. Latency is the delay before data transfer occurs, 
caused by the additional time the modem requires to compress the data before it is sent. In situations where 
the delay is undesirable (for example, during interactive use over a long distance line), compression should 
not be used. 

The "compressability" of data depends on what is being compressed. Some data can be compressed to less 
than half its original size, while other data cannot be compressed at all. As the type of data to be sent 
changes, the modem's throughput will change. 

Before compression can be enabled, flow control must be enabled (see Flow Control on page 7-15). In 
addition, the modem's serial speed must be set higher than the line speed. This enables the unit to keep the 
modem's internal data buffer filled with data to compress. As lower compression ratios decrease the 
effective line speed, the modem will flow control the unit more often. When compression ratios and the 
effective line speed rise, the modem will flow control the unit less often. 

Note: On some modems, error correction must be enabled for data compression to 
work properly. See Error Correction on page 8-10. 

To enable modem compression, use the following command: 

Figure 8-9: Enabling Modem Compression 

Local» DEFINE PORT 2 MODEM COMPRESSION ENABLED 



Note : For this command 's complete syntax, see Define Ports Modem Attention on page 
-78. 

When modem compression is enabled on a port, the unit will send a string to the modem to instruct it to 
enable modem compression. When compression should be disabled, a disable string may be sent. The 
default enable and disable strings vary, depending upon the modem profile used. To display the default 
strings for a particular modem profile, use the List Modem command. 

To modify these strings, use the Define Ports Modem Compression command. The first string specified 
is the disable string; the second is the enable string. 

Figure 8-10: Changing the Disable and Enable Strings 

Lcoal» DEFINE PORT 2 MODEM COMPRESSION "s46=12b" "q5" 



The compression mode used varies from modem to modem, however, the most common mode is V.42bis. 
This is the recommended method of data compression. 

V.42bis encoding offers an automatic 20% savings on all data send, regardless of how compressible it is. 
Some text files can be compressed down to 1/4 or less of their original size. In addition, V.42bis will enable 
or disable compression according to whether or not it's required. 

Other compression modes, such as MNP, may not give the same results as V.42bis. To obtain the best 
results, experiment with different modes of compression. 

Note: On many modems, error correction must be enabled in order to use data 
compression. 
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8.3.6 Error Correction 

A modem's profile Error Correction setting enables or disables the modem's error correction mode. Error 
correction modes enable modems to ensure data integrity in the presence of telephone line noise. These 
modes work by checking the data for errors at the receiving modem. If an error is detected, the receiving 
modem requests that the sending modem retransmit the data. 

When errors are not detected, data flows through the modem at a normal rate. When an error occurs, the 
sending modem must retransmit the data and not send any new data. The sending modem must be able to 
flow control the unit during the retransmission. Ensure that flow control is enabled on the unit before 
enabling error correction. 

Note: To configure flow control, see Flow Control on page 7-15. 

To enable error correction, use the following command: 

Figure 8-1 1 : Enabling Error Correction 

I Local» DEFINE PORT 2 MODEM ERRORCORRECTION ENABLED 



Note: For this command's complete syntax, see Define Ports Modem Errorcorrection 
on page -84. 

When error correction is enabled on a port, the unit will send a string to the modem to instruct it to enable 
error correction. When error correction should be disabled, a disable string may be sent. The default enable 
and disable strings vary, dependent upon the modem profile used. To display the default strings for a 
particular modem profile, use the List Modem command. 

To modify these strings, use the Define Ports Modem Errorcorrection command. The first string 
specified is the disable string; the second is the enable string. 

Figure 8-12: Changing the Disable and Enable Strings 

I Local» DEFINE PORT 2 ERROR CORRECTION "Sq5" "qO" 



8.3.7 Security 

If security measures aren't taken, unauthorized callers may be able to gain access regardless of the port's 
security measures. In order to prevent this, the following must be true: 

♦ If a remote user hangs up without logging out, the modem will sense the loss of carrier, and deassert 
the DCD signal. The server will then log the port out. 

♦ If the remote user logs out, the server will force the modem to hang up immediately and reset. 

These items should be carefully verified for each port that a modem is attached to, even if a preconfigured 
modem profile is used. 

Dialback security, discussed below, can be used in conjunction with these techniques on modem ports for 
an additional layer of security. 

The Ports and Security chapter cover security features in detail. The best tools for securing modem ports are 
username and password pairs, server passwords, and idle timeouts. 
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8.3.8 Autostart 

A port with Autostart and modem control enabled will not run the specified mode (for example, PPP) until 
the modem asserts the DCD signal. This prevents the port from sending data to the local modem before a 
remote modem is connected. 

Note: For information on Autostart or the DCD signal, see Chapter 7, Ports. 

8.3.9 Dialback 

Dialback allows a system manager to set up a dialback of authorized users for incoming modem 
connections. When a username matching one in the list is entered, the port will be logged out and the user 
will be called back at the predefined number. 

For a complete discussion of Dialback, see Dialback on page 10-5. 

8.4 Terminal Adapters 

ISDN Terminal adapters (TAs) are similar to modems. Modems convert asynchronous serial signals to a 
form that can be transmitted via regular phone lines, while terminal adapters convert asynchronous serial 
signals to a form that can be transmitted by ISDN phone lines. The main difference between using these 
devices with the unit is the complexity of TA setup, which varies by telephone service provider. 

For the most part, the unit interacts with a TA in the same way that it interacts with a modem. However, two 
things must be taken into account when using a TA with the unit: 

♦ Although some TAs can autodetect certain settings, it is not always possible to auto-configure 
information needed for the connection, such as the caller's own phone number. Therefore, no TA 
profiles are preconfigured for the unit itself. TA users must edit the generic modem profile so that it 
can be used with their specific TAs and ISDN service providers. 

Note: SMC provides Tech Tips that outline the configuration needed for certain 

specific terminal adapters. To find out if your TA's configuration is included in 
a Tech Tip, contact your dealer or SMC technical support. 

♦ B-channel ISDN connections are much faster than modem connections. Those who wish to use the 
unit bandwidth-on-demand functionality should take this speed increase into consideration when 
configuring bandwidth settings. 

8.5 Caller-ID 

Three commands provide the unit with basic Caller-ID functionality, provided that Caller-ID is available 
and the unit is attached to a modem capable of decoding Caller-ID signals. 
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Define Ports Modem CallerlD Enabled allows the unit to parse Caller- ID information that it receives 
from the attached modem. 

Figure 8-13: Turning on Caller-ID 

I Local» DEFINE PORT 2 MODEM CALLERID ENABLED 



Note : The modem should be configured for either Single or Multiple Message Format; 
the unit cannot parse information in raw data format (ASCII coded 
hexadeciman). See your modem's documentation for configuration. 

Define Ports Modem Answer Rings configures the number of rings, either 1 or 3, that the unit will wait 
for before answering the line. The telephone company sends Caller-ID information between the first and 
second rings, so the unit must be set to wait for 3 rings before answering in order for Caller- ID functionality 
to work. 

Figure 8-14: Setting Modem Ring Value for Caller-ID 

Local» DEFINE PORT 2 MODEM ANSWER RINGS 3 



Note: The modem init string must be modified to tell the modem to pass Caller-ID 

information to the unit. See Editing a Profile on page 8-3 for more information. 

Finally, Show/Monitor/List Modem Status displays status information about modems connected to unit 
ports, including the most recently collected Caller-ID information. A sample modem status display is shwon 
in Figure 8-15. 

Figure 8-15: Modem Status Display with Caller-ID Information 

Local» SHOW PORT 2 MODEM STATUS 
Port 2 : Username : Stephan 

Last Connect Speed: 28800/ARQ/V34/LAPM/V42BIS 

Last Caller ID Information: 

Date: 

Number : 

Name : 

Local>> 



Caller-ID information is also recorded by modem logging level 2 (see Set/Define Logging on page -155) 
and sent to RADIUS servers (see Appendix C, Supported RADIUS Attributes). 

8.6 Wiring 

The unit must be wired to the DCD pin on your modem. See the Pinouts appendix of your Installation Guide 
for complete wiring information. 

Note: For more information, see Serial Signals on page 7-16. 
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8.7.1 Typical Modem Configuration 

Figure 8-16 lists the commands required for a typical modem setup. In this example, an unit modem profile 
exists for this brand of modem. All modem strings in this profile are acceptable; no special configuration is 
required. 

Figure 8-16: Typical Modem Configuration 

Local» LIST MODEM 

Local» DEFINE PORT 2 MODEM ENABLED 
Local» DEFINE PORT 2 MODEM TYPE 4 
Local» DEFINE PORT 2 MODEM SPEAKER DISABLED 
Local» LOGOUT PORT 2 



8.7.2 Modem Configuration Using Generic Profile 

In this example, a V.34 modem is attached to unit port 2. A modem profile does not exist for this brand of 
modem; the generic modem profile must be used. This modem will support incoming and outgoing 
connections. 

Port 2's speed must be set properly for the modem. To determine the appropriate port speed, examine the 
following table: 



Table 8-2: Maximum Baud Rates 



Modem 


Typical Maximum Line Rate 


V.32 


19200 


V.32bis 


57600 


V.fast 


115200 


V.34 


115200 



To determine the maximum baud rate supported by the modem, the port speed must be set and tested. 
Modem handling must be disabled on the port; if it is enabled, the unit will attempt to initialize the modem 
when the port is logged out. 

Figure 8-17: Configuring Port Speed 

Local» DEFINE PORT 2 MODEM DISABLED 
Local» DEFINE PORT 2 SPEED 115200 
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The port speed is tested by logging into the port and sending an attention ("at") command. The modem 
should respond with "OK". If it does not send "OK", the port speed should be set to a lower baud rate (see 
Table 8-2). 



Figure 8-18: Testing the Port Speed 



Local» SET PORT 2 LOCAL SWITCH A \ 
Local» CONNECT LOCAL PORT_2 
Local protocol emulation V2.2 
at 
OK 

Local» 



After the appropriate port speed is determined, the port must be configured using the generic modem profile. 
In addition, modem operation must be enabled. 

To determine which profile number is the generic profile (the number will change as new profiles are 
added), enter the List Modem command: 

Figure 8-19: Displaying Modem Profiles 



Local» LIST MODEM 

1- Modem 1 

2- Modem 2 

3- Modem 3 

4- Generic 

Local» DEFINE PORT 2 MODEM ENABLED 
Local» DEFINE PORT 2 MODEM TYPE 4 
%Info: Port speed changed to 57600. 
%Info: Port flow control changed to CTS . 



The generic modem profile made a series of configurations to port 2. To determine the current configuration 
of port 2, use the List Port or List Port Modem command. 

Figure 8-20: Current Port Configuration 



Local>> list port 2 

Port 2: Username : Physical Port 2 (Idle) 
Char Size/Stop Bits : 8/lInput Speed: 57600 
Flow Ctrl:Cts/RtsOutput Speed: 57600 
Parity :NoneModem Control : Disabled 

Access : LocalLocal Switch: None 
Backward :NonePort Name:Port_2 
Break Ctrl : LocalSession Limit : 4 
Forward :NoneTerminal Type: Soft () 

Preferred Services: (Telnet) 

Characteristics: Broadcast Loss Notify Telnet Pad Verify 
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The speed for port 2 is now 57600. This speed must be set to the appropriate speed (determined earlier by 
setting and testing the speed), 115200. 

Figure 8-21: Configuring Port Speed 

| Local» DEFINE PORT 2 SPEED 115200 



Port 2 will be used for incoming and outgoing connections, therefore, access must be set to Dynamic. 

Figure 8-22: Configuring Local Switch and Port Access 



Local» DEFINE PORT 2 ACCESS DYNAMIC 



After entering this command, log out the port to ensure that the changes will be in effect when the next user 
logs into port 2. 



8.7.3 Editing Modem Strings 



The current init string on port 2 is &fwl&cl&d2&k3s2=128. This string must be changed to work with a 
particular modem: 

Figure 8-23: Changing Init String 



Looal» DEFINE PORT 3 MODEM INIT "&fwl&cl&d2s2=128s38=0" 



Note: To see what the above modem initialization string is configured to do, refer to 
Table 8-1 on page 8-3. 

Consult your modem's documentation for the exact items to include in the modem init string. 

8.8 Troubleshooting 

To help diagnose any difficulty with your modem setup, it is a good idea to do the following: 

♦ Install a breakout box between the modem and the unit. Set all modem switches to the "normal" 
position, and remove all jumpers. When the modem and unit are powered on, the box's LEDs will 
display the state of the signals, enabling you to more easily diagnose the problem. 

♦ Enable logging for modems. (See Event Logging on page 10-24) 

♦ Use the List Port command to ensure that modem control is enabled on the port. Many of the port's 
characteristics will be displayed; modem control is the third item listed in the left column. 

♦ Ensure that all modems have been reset by rebooting the unit. 

♦ Verify the cable connections. 
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The following table lists some common problems that occur with modem configuration and proposes 
solutions for them. 



Table 8-3: Modem Troubleshooting 



Problem 


Possible Cause(s) 


Remedy 


The modem won't 


The modem isn't configured to 


Enable answering with the Define Ports Modem 


answer the phone. 


answer the phone. 


Answer command (discussed on page -77). 




Tf>A liT^I? c i oivi I i en t nttncnf^H 
1 11C LJ 1 IV alglld.1 Iftll L cllUlCllCLl. 


\/f*ri t\7 trip* \x/iT"in(T Kncnrp tnnt tn* 2 * (rroiinri nine on tn* 2 * 
VClliy L11C Wlllllg. l_/llftUlC LllaL L11C gUJUHU pillft Ull L11C 

RJ45 ports are wired together. 




ine unit isn t asserting tne ljik 


tonsure tnat tne ivirwait cnaractenstic ^aiscussea on 




signal. 


page -50) is disabled on the unit port used. 




The modem has hung. 


Cycle power on the modem. 


The modem doesn't 


The modem's flow control isn't set 


Reset the modem's NVR to the factory default state 


respond to the unit's 


properly, or the modem's autobaud 


(the at&f string is commonly used). For further 


f'onfi (Tiirnti on rpmipctc. 

^VJllll^Ul O.L1VJ11 ICLJUCftLft. 


icn't fnnpti nnm tr nronprlv 

Iftll L 1 UlldlVJlllllg JJlVJJJdl^. 


inctriiptionc rpfpr to vonr mnHpm's Hopnmpntntion 

ill ft Ll UL/ LlVJllft , 1C1C1 LVJ VVJLll lllwLlClll ft LlW^UlllCllLtlLlwll. 




The modem isn't wired correctly. 


Verify the wiring. Ensure that the ground pins on 
RJ45 ports are wired together. 


The modem answers, 


The Access characteristic on the 


Set Access (discussed on page -39) to Local or 


but cannot connect to 


unit port is set to None or Remote. 


Dynamic. 


LilC Will. 


The modem's serial speed does not 


Ensure that the serial speeds of the modem and unit 




match the serial speed on the unit 


port match. 




r\i"»i*t n c / * t 1 

pUlL USetl. 






A network user is connected to the 


Use the Show Ports command (discussed on page - 




11HJUC111. 


7 / I to \7f*vi t\7 tn nt tnp nmt nort 1 c 1 HI* 2 * It it 1 c not i HI 
1 z, ) wj vein y iiitii liic liiiil jjlh l ift iuic. 11 il ift ihjl iliic, 

log out the port using the Logout Port command 
(discussed on page -35). 




Thf 5 m orl f m hnc hnntr 
1 lie llUJUClll llaft llUllg. 


(~*\ic\(* no\x/f=*r on thf 1 mnrlpm 

V--JL1C pUWCl \)\ 1 L11C 11HJUC111. 




The unit cannot detect the DCD 


Verify the wiring. Ensure that the ground pins on the 




CI 1 1 11 ' 1 1 

signal. 


K-j^fj pons are wireu Logemer. 


All data is corrupted. 


The ground pins aren't wired 


Verify the wiring. Ensure that the ground pins on the 




correctly. 


RJ45 ports are wired together. 




The modem's serial speed does not 


Ensure that the serial speeds of the modem and unit 




match the serial speed on the unit 


port match. 




port used. 






Flow control isn't working properly. 


Ensure that the modem and unit port are configured 
to use the same flow control method. 




The modem is set to the wrong baud 
rate. 


Cycle power on the modem. 


The first few lines of 


Flow control isn't working properly. 


Ensure that the modem and unit port are configured 


data are transmitted 




to use the same flow control method. Flow control is 


properly, but the subse- 




discussed in detail in Flow Control on page 7-15. 


quent data is corrupted. 


The ground pins aren't wired 


Verify the wiring. On RJ45 ports, ensure that the 




correctly. 


ground pins are wired together. 
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Table 8-3: Modem Troubleshooting, cont. 



Problem 


Possible Cause(s) 


Remedy 


When the port is logged 


Modem Control isn't enabled on the 


Ensure that Modem Control is enabled. See Define 


out, the modem doesn't 


unit port used. 


Ports Modem Control on page -82 for details. 


hang up the phone line. 


Thp DTR si (Trial isn't attaptipH 

111C A IV 31£^11£11 1311 I LlllLlCllCW. 


Vprifv thp wirintx Pn^iirf* that thf* trronnH nin*» on 

VCllly Lllv_. W 11 111 si. J_^lir>LU v_. LHO.L Llll^ iilWLlllU L/lllJ v'l 1 

RJ45 ports are wired together. 




The modem isn't configured to reset 


Check the modem's configuration. 




when the DTR signal is dropped. 




When the phone is 


Modem Control isn't enabled on the 


Ensure that Modem Control is enabled. See Define 


hung up, the unit 


unit port used. 


Ports Modem Control on page -82 for details. 


doesn't log out the port. 


Thf* D(~T) signal isn't attaphpH 

111L 1W.< L> aii^lltll 1311 I LllltlCl LI . 


Vprifv thp wiring Pnsnrp that thp ground nins on 

VC-111V Wllllli^. 1_^11>L11L. llluL L11V-- i^lWLlllU L/1113 Wll 

RJ45 ports are wired together. 




The modem isn't configured to 


Check the modem's configuration. 




Heassert DC'D nnnn loss of carrier 




The modem answers, 


One or both modems are configured 


Check the documentation for both modems; verify 


but won't connect to the 


not to connect unless some feature 


their configuration. 


remote modem. 


is enabled (for example, error cor- 
rection). 






The two modems cannot be con- 


Replace one or both of the modems. Verify that the 




nected. (Some modems are incom- 


modem is using the correct and current version of its 




patible with one another). 


software. 
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Modem sharing provides users with individual modem/phone line functionality at a reduced cost. When 
modems are shared, a group of IP users may use a modem pool to dial out of a LAN and connect to a remote 
host; for example, to connect to a bulletin board service (BBS). This eliminates the need for phone lines for 
each user' s computer. 

9,1 Services 

A service represents a resource accessible to network users, such as a modem or a pool of modems attached 
to the unit. 

Services provide links for TCP connections to unit serial ports. They are employed in modem sharing to 
establish connections to the unit modems. 

9.1 .1 Creating a Service 

Each unit service must have a unique name. To create a service, use the Set/Define Service command. An 
example is displayed below. 

Figure 9-1 : Creating a New Service 

Local» DEFINE SERVICE fastmodems 



Service names are not case-sensitive, may be up to 16 alphanumeric characters long, and cannot include 
spaces. 

9.1 .2 Associating Ports with a Service 

Each service must be associated with at least one port. To associate a port with a service, use the Set/Define 
Service Ports command. 

Figure 9-2: Associating a Port with a Service 

I Local» DEFINE SERVICE fastmodems PORTS 2 



Note: Set/Define Service Ports is discussed in detail on page -96. 

To use a service for modem sharing, the service should be associated with multiple ports; this permits 
multiple connections to the service. Connections will be made to the first available port. 

Figure 9-3: Associating a Service with Multiple Ports 

I Local» DEFINE SERVICE fastmodems PORTS 2-4 
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Ports associated with a service used for modem sharing must support outgoing connections. To support 
outgoing connections, the port access must be set to Dynamic or Remote. 

Figure 9-4: Configuring a Port for Outgoing Connections 

I Local» DEFINE PORT 2 ACCESS DYNAMIC 



A port associated with a service used for modem sharing must also be configured to operate the modem 
attached to it. To configure modem operation on a port, use the following commands: 



Figure 9-5: Configuring Modem Operation on a Port 



Local>> 


DEFINE PORT 


2 


MODEM 


CONTROL ENABLED 


Local>> 


LIST MODEM 








Local>> 


DEFINE PORT 


2 


MODEM 


TYPE 5 



To display a particular modem type's settings, use the Define Ports Modem Type command, discussed in 
detail on page -91. 

Note: For more information on modem configuration, see Chapter 8, Modems. For 
more information on port configuration, see Chapter 7, Ports. 

9.1 .3 Displaying Current Services 

To display a list of the current services, use the Show/Monitor/List Services command. 

To display specific information about a service, the following parameters may be used with the Show/ 
Monitor/List Services command: Characteristics, Summary, and Status. For example, to display a 
service's characteristics (including the ports associated with it), use the following command: 

Figure 9-6: Displaying a Service's Characteristics 

Local» LIST SERVICES fastmodems CHARACTERISTICS 



The command above shows the ports associated with the service fastmodems, the characteristics enabled 
for the service, and the service rating. 

Generally, a service rating of 255 means that the service is available, and a rating of zero means that it is 
busy or otherwise unavailable. A rating between 255 and zero indicates that the service is partially available. 
For example, fastmodems may be a modem pool containing three high-speed modems, one of which is 
available. In this case, the service rating for fastmodems would be 85. 

Note: Show/Monitor/List Services is discussed in detail on page -99. 

9.2 Sharing Modems 

To share unit modems, you must do one of the following: 

♦ Use the SMC COM Port Redirector application. 

♦ Form a TCP connection to a TCP listener socket associated with a service. 
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♦ Form a TCP connection directly to an unit serial port. 

♦ Log into the unit and connect to a local service or port. 
These methods are discussed in the following sections. 

9.2.1 Configuring an IP Modem Pool Service 

Creating a service allows you to set up a modem pool on several unit ports. To create an IP modem pool 
service, enter the Set/Define Service Ports command. 

Figure 9-7: Creating an IP Modem Pool Service 

| Local» DEFINE SERVICE modempool PORT 8-10 TCPPORT 4008 

Note: The complete syntax of Set/Define Service Ports is described on page -96. 

9.2.2 Using the COM Port Redirector 

To use the Redirector on an IP network, you must create a modem pool service that is associated with a TCP 
listener socket. Refer to Figure 9-8 for the necessary command. 

9.2.3 Connecting to a TCP Listener Service 

Each service may be associated with a TCP listener socket. TCP connections to the socket are connected to 
the service. Once a connection is established, a user may issue commands to the modem. 

To associate a service with TCP listener socket, use the Set/Define Service TCPport command. Socket 
numbers must be between 4000 and 4999. 

Figure 9-8: Specifying a Raw TCP Listener Socket 

Local» DEFINE SERVICE fastmodems TCPPORT 4 999 

Note: The complete syntax of Set/Define Service TCPport is listed on page -98. 

If the socket should perform Telnet IAC character-escaping negotiations on the data stream, use the Set/ 
Define Service Telnetport command. 

Figure 9-9: Specifying a Telnet TCP Listener Socket 

Local» DEFINE SERVICE slowmodems TELNETPORT 4500 

Note: Set/Define Service Telnetport is discussed in detail on page -99. 

Connecting to a TCP listener service is recommended if more than one modem is being used. The unit will 
automatically connect the user to the next available modem, avoiding the trail and error process of finding 
an available port (see Connecting to an Serial Port on page 9-4). 
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To connect directly to an unit serial port, specify a port number of 300n or 200«. The n represents the 
number of the unit serial port; for example, port 2002 represents unit serial port 2. 

If you're using Telnet to connect to the unit, connect to port 2000 + n. The 2000 port is intended for Telnet 
connections; it performs Telnet IAC character-escaping negotiations on the data stream. In the example 
below, the Telnet command is used to connect to the unit serial port 3. 

Figure 9-10: Telnetting Directly to Port 3 

% TELNET server_name 2003 

If you're connecting via a host application, connect to port 3000 + n. This port provides an 8-bit clean 
connection, required by most host applications. 

9.2.5 Connecting to an Service or Port 

To connect to a local service or port from an unit login, use the Connect Local command at the Local> 
prompt. 

Figure 9-11 : Connecting to a Local Service/Port 

Local» CONNECT LOCAL fastmodems 
Local» CONNECT LOCAL PORT_2 

If a service name is specified, a connection is made to the first available port associated with the service. If 
a port name is specified, the connection is made to the port unless the port is in use. 

Once the connection is established, commands may be issued to the modem attached to the serial port. 

9.3 Examples 

Users on an IP network need to connect to both a BBS and a commercial online service. The following 
modems are available: 

♦ Two 28,800 bps modems, reserved for connections to the online service 

♦ Four 14,400 bps modems, available for connections to both services 

♦ One 9,600 bps modem, reserved for connections to the BBS 



9-4 



Modem Sharing Examples 

The modems are connected to an unit as follows: 



Table 9-1 : Modems Connected to the unit 



Speed 


Connected to 


unit Modem Type 


28,800 bps (2) 


Ports 2 and 3 


6 


14,400 bps (4) 


Ports 4 through 7 


5 


9,600 bps (1) 


Port 8 


4 



Three services will be created for the modems: fastmodems, slowmodems, and slowestmodem. These will 
be used for the 28,800, 14,400, and 9,600 modems, respectively. 

Figure 9-12: Configuring the unit fastmodems Service 



Local» DEFINE SERVICE fastmodems PORTS 2-3 ENABLED 

Local» DEFINE PORT 2-3 ACCESS REMOTE 

Local» DEFINE PORT 2-3 MODEM TYPE 6 

Local» DEFINE PORT 2-3 MODEM CONTROL ENABLED 



Figure 9-13: Configuring the unit slowmodems Service 



Local» DEFINE SERVICE slowmodems PORTS 4-7 ENABLED 

Local» DEFINE PORT 4-7 ACCESS REMOTE 

Local» DEFINE PORT 4-7 MODEM TYPE 5 

Local» DEFINE PORT 4-7 MODEM CONTROL ENABLED 



Figure 9-14: Configuring the unit slowestmodem Service 

Local» DEFINE SERVICE slowestmodem PORT 8 ENABLED 

Local» DEFINE PORT 8 ACCESS REMOTE 

Local» DEFINE PORT 8 MODEM TYPE 4 

Local» DEFINE PORT 8 MODEM CONTROL ENABLED 



When all of the configurations have been entered, log the ports out and initialize the server. 

9.3.1 Configuring the Redirector 

The following table shows how the Redirector setup utility should be configured for this example. All three 
unit services (fastmodems, slowmodems, and slowestmodem) should appear in the Service Selection 
window. 



Table 9-2: Redirector Configuration 



COM Port # 


Redirect? 


Selected Services 


COM Port 1 


Yes 


fastmodems 






slowmodems 


COM Port 2 


Yes 


slowmodems 






slowestmodem 
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9.3.2 Configuring the PC Communications Software 

The communication software must be configured to connect to the online service by dialing out through 
COM Port 1 and to the BBS by dialing out through COM Port 2 
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The unit enables you to secure your network in a number of ways. Supported security features include: 

♦ Authentication of incoming connections 

♦ Authentication of outgoing LAN to LAN connections 

♦ Dialback during incoming connection attempts 

♦ Databases which store authentication information 

♦ Restriction of user access to commands and functions 

♦ Event logging 

10.1 Incoming Authentication 

Authentication forces users to prove their identities when attempting to connect to the unit. The connection 
type affects the authentication sequence and how the authentication information is transferred. Incoming 
connections may be one of the following types: character mode (Local> prompt) logins, PPP logins, SLIP 
logins, or virtual port logins. 

10.1.1 Character Mode Logins 

Each unit serial port may be configured to support any combination of the following: 

♦ A server-wide login password 

♦ A username/password pair 

♦ Dialback on serial ports with modems attached 

This section will discuss the login password and the username/password pair. Dialback will be discussed in 
the following section. 

Note: To configure a port to support character mode, see Port Modes on page 7-3. 

10.1.1.1 Login Password 

To set the login password, use the Set/Define Server Login Password command. 

Figure 10-1: Defining the Login Password 

| Local» DEFINE SERVER LOGIN PASSWORD badger 

Note: The login password can be up to 6 characters long. The default password is 
"access. " 



10-1 



Incoming Authentication 



Security 



To require that users enter the login password when logging into a particular port, use the Set/Define Ports 
Password command. 

Figure 10-2: Requiring Login Password on a Port 

I Local» DEFINE PORT 2 PASSWORD ENABLED 



10.1.1.2 Username/Password Pair 

In addition to the login password, each port may be configured to prompt users for a personal username and 
password. When the user enters the username/password pair, the unit scans the authentication databases (see 
Database Configuration on page 10-8) for a matching pair. If a match is not found, the login will not be 
permitted. 

Figure 10-3: Enabling Username/Password Authentication 

Local» DEFINE PORT 2 AUTHENTICATE ENABLED 



1 0.1 .1 .3 Virtual Port Logins 

Users can connect to a virtual port via a terminal connected to the serial console port or over the network 
using Telnet, Rlogin, or EZWebCon. For a complete discussion of virtual ports, see Virtual Ports on page 
7-19. 



By default, incoming Telnet and Rlogin connections are not required to enter the login password. To require 
the login password, use the Set/Define Server Incoming Password command: 

Figure 10-4: Requiring a Login Password for Telnet/Rlogin Connections 

I Local» DEFINE SERVER INCOMING PASSWORD 



To require username/password authentication for virtual port logins, use the Set/Define Ports Authenticate 

command, specifying port 0 as the port number. 

Figure 10-5: Virtual Port Username/Password Authentication 



Local» DEFINE PORT 0 AUTHENTICATE ENABLED 



1 0.1 .1 .4 Starting PPP/SLIP From Character Mode 

PPP or SLIP may be started when a port is in character mode using the Define Ports PPP or Define Ports 

SLIP commands. If an incoming user specifies a particular site to be started (for example, Set PPP irvine), 
the site may prompt the user for its local (site-specific) password. 

Figure 10-6: Setting a Site's Local Password 



Local» DEFINE SITE ivine AUTHENTICATION LOCAL "badger" 



To prompt the user for the local password when attempting to start the site,use the Define Site 
Authentication Prompt command. 

Figure 10-7: Requiring Site's Local Password 

I Local» DEFINE SITE irvine AUTHENTICATION PROMPT ENABLED 
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10.1.2 PPP Logins 

This section covers authentication on ports dedicated to PPP or with PPPdetect enabled. If PPP will be 
started from character mode, see Character Mode Logins on page 10-1 

Note: To dedicate a port to PPP or enable PPPdetect, see Chapter 7, Ports. 

1 0.1 .2.1 How the Username/Password is Transmitted 

The username and password may be transmitted using CHAP (Challenge Handshake Authentication 
Protocol) or PAP (Password Authentication Protocol). Each protocol goes through a negotiation sequence 
to complete the authentication; see Chapter 3, Basic Remote Networking, for details. 

To use CHAP or PAP to authenticate incoming callers, CHAP Remote or PAP Remote must be enabled on 
the port accepting the call. One or both may be enabled, however, CHAP is recommended. 



Figure 10-8: Enabling PAP and CHAP for Incoming Connections 



Local>> 


DEFINE PORT 


2 


PPP 


CHAP REMOTE 


Local» 


DEFINE PORT 




PPP 


PAP REMOTE 



If both CHAP and PAP are configured for authentication, CHAP authentication will be attempted first. If 
the remote host does not understand CHAP, PAP will be attempted instead. If neither CHAP nor PAP 
successfully authenticates the caller, the connection is terminated. 

10.1.2.2 Comparing Username/Password to Authentication Databases 

If the username sent by the caller matches a site name, that site will be checked to determine if it has a local 
password defined. The local password is the password expected from the incoming caller. To configure a 
local password for a site, use the Define Site Authentication Local command. 

Figure 10-9: Defining a Site Local Password 

I Local» DEFINE SITE irvine AUTHENTICATION LOCAL "wallaby" 



If the password entered matches the site's local password, the site will be started. If it does not match the 
local password, or if the site does not have a lcoal password defined, the unit will check the next database 
(according to the order of database precedence). See Database Configuration on page 10-8 for details. 

Note: Some databases are case-sensitive, so the login information must be entered in 
the proper case in order for authentication to succeed. See the Database 
Configuration section for more information. 

A custom site will only be started if the username matches a site name and any password in an authentication 
database. If the username doesn't match a site name, but matches a username/password pair in an 
authentication database, a temporary site will be used for the connection. 

If a matching username/password pair is not found in any authentication database, the connection attempt 
will fail. 



10-3 



Outgoing Authentication 



Security 



10.1.2.3 Offering Authentication Information to the Incoming Caller 

If the incoming caller must authenticate the unit, the port must have PAP Local or CHAP Local configured. 
Use the Define Ports PPP CHAP Local or Define Ports PPP PAP Local command. 



Figure 10-10: Enabling CHAP and PAP Local 



Local>> 


DEFINE 


PORT 


2 


PPP 


CHAP LOCAL 


Local>> 


DEFINE 


PORT 


2 


PPP 


PAP LOCAL 



During CHAP/PAP negotiation, the unit will send the site's username and remote password to the incoming 
caller. To set a site's username and remote password, use the Define Site Authentication command: 

Figure 10-11 : Configuring the Site Username and Remote Password 

Local» DEFINE SITE irvine AUTHENTICATION USERNAME Seattle 
Local» DEFINE SITE irvine AUTHENTICATION REMOTE gopher 



Use caution when configuring a site to offer and accept authentication information (when the site has both 
a local and remote password). PAP does not offer complete security in this situation; if the site has PAP 
authentication enabled for incoming and outgoing connections, both passwords may be compromised 
during the LCP negotiation process. 

When the unit receives an incoming call, a site configured with a local and remote password may let the 
incoming caller know that it is willing to transmit these passwords. If the remote caller has PAP 
authentication enabled, it may persuade the unit to transmit its passwords to the remote caller as part of the 
PAP authentication negotiation. At that point, the remote caller can hang up in possession of the unit 
passwords. The caller may be able to use the unit remote password to log into other networks, or to call the 
unit and connect as an authorized user. 

10.1.3 SLIP Logins 

SLIP does not support authentication; authentication must take place before SLIP is started. 

Ensure that the port will start in character mode by disabling SLIP autodetection and SLIP dedicated modes. 
SLIP Autodetection and dedicated SLIP are disabled by default. 

Figure 10-12: Disabling SLIPdetect and SLIP Dedicated 



Local» DEFINE PORT 2 SLIPDETECT DISABLED 
Local» DEFINE PORT 2 SLIP DISABLED 
Local» DEFINE PORT 2 SLIP ENABLED 



10.2 Outgoing Authentication 

When the unit attempts to connect to a remote host, the host may require that the unit send a username and 
password. The method used to transmit this username/password pair depends upon the type of login: 
character, SLIP, or PPP. 
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10.2.1 Character Mode Logins 

If the remote device is expecting the information in character mode, the username and password must be 
sent in a chat script. The chat script should expect the username prompt, send the appropriate username, 
expect the password prompt, and send the appropriate password. See Chapter 4, Additional Remote 
Networking, for information on configuring chat scripts. 

10.2.2 PPP Logins 

If the remote device supports PPP, the username and password may be transmitted using CHAP (Challenge 
Handshake Authentication Protocol) or PAP (Password Authentication Protocol). Each protocol goes 
through a negotiation sequence to complete the authentication; see Chapter 3, Basic Remote Networking, 
for details. 

To enable CHAP and PAP authentication on outgoing connections, use the Define Site Authentication 
CHAP and Define Site Authentication PAP commands. One or both may be enabled, however, CHAP is 
recommended. 

Figure 10-13: Enabling PAP/CHAP Outgoing Authentication 

Local» DEFINE SITE dallas AUTHENTICATION CHAP ENABLED 
Local» DEFINE SITE dallas AUTHENTICATION PAP ENABLED 



If both CHAP and PAP are configured for authentication, CHAP authentication will be attempted first. If 
the remote host does not understand CHAP, PAP will be attempted instead. If both PAP and CHAP fail, the 
connection will be terminated. 

To define the username that the unit sends to the remote host, use the Define Site Authentication 
Username command: 

Figure 10-14: Outgoing Site Username 

Local» DEFINE SITE dallas AUTHENTICATION USER "Seattle" 



The password sent to the remote host is called the remote password. Configure this password with the 
Define Site Authentication Remote command. 

Figure 10-15: Configuring Site Remote Password 

I Local» DEFINE SITE dallas AUTHENTICATION REMOTE "badger" 



10.2.3 SLIP Logins 

All outgoing SLIP authentication must be done with chat scripts before SLIP starts. SLIP does not support 
any authentication. To configure chat scripts, see Chapter 4, Additional Remote Networking. 

10.3 Dialback 

When dialback is used, the unit will verify the identity of incoming users by logging the port out and dialing 
the user back at a specified number. Dialback may be configured to do any combination of the following: 
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♦ 



Logs a port out and call the user back 



♦ 



Permit users to bypass the dialback process and connect immediately 



♦ 



Terminate the connection when unauthorized users attempt to connect 



Note: 



The port must be configured to use modems; for additional information, see 
Chapter 8, Modems. 
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.3.1 The Dialback Process 



1 When a username is entered on a dialback port, the unit determines if it should allow the connection 
or dial the user back. 

If the unit must dial the user back, it hangs up the modem by cycling DTR. 

2 The unit sends a command to the applicable serial port. The command contains the modem command 
prefix, the dial string, and the configured telephone number from its dialback database. 

3 The dial string should perform any special configuration required for the call, then dial the remote 
modem number (in the example above, 555-1235). It is not necessary to precede the telphone number 
by strings such as "atdt." 

4 The unit waits the length of the Carrier Wait setting for the DCD signal to go high, indicating that the 
modem has reconnected successfully. Otherwise, DTR is dropped for 3 seconds and the port is reset. 

5 The unit waits 30 seconds for the user to enter a username when in Dialback mode. After 30 seconds, 
the port is logged out to keep unauthorized users from denying other users access to that port. 

Note: Dialback only applies to incoming port logins. Dialback ports can be used 
normally for outgoing connections. 



To use dialback for character logins, configure a list of authorized users with the following steps: 

1 Enable modem control using the Define Ports Modem Control Enabled command. 

2 Assign a modem type to the port using the Define Ports Modem Type command. 

3 Enable dialback using the Define Ports Dialback Enabled command. 

4 Configure how Dialback treats users who are not in the dialback database. 

The Dialback Bypass setting controls what happens when a user that is not in the dialback database 
attempts to connect to the unit. If Bypass is enabled, these users will be allowed to connect without 
dialback occurring. If Bypass is disabled, these users will not be able to connect. 

5 Add users to the dialback database. 
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To add a user to the dialback database, use the Set/Define Dialback command and specify a 
username and a telephone number. If the user must bypass dialback (regardless of whether Dialback 
Bypass is enabled or disabled), specify the Bypass parameter. 



Figure 10-16: Adding Users to the Dialback Database 



Local>> 


DEFINE 


DIALBACK 


BYPASS ENABLED 


Local>> 


DEFINE 


DIALBACK 


FRANK BYPASS 


Local>> 


DEFINE 


DIALBACK 


BOB "555-1235" 



In the example in Figure 10-16, user frank will bypass dialback. When user bob attempts to connect, 
the unit will call him back at 555-1235. Any other user attempting to connect will be subject to 
dialback; if he or she is not in the dialback database, the attempt will fail. 

To view the Dialback database, use the Show/Monitor/List Dialback command. 

Figure 10-17: Viewing the Dialback Database 

Local» SHOW DIALBACK 



Note: You must be the privileged user to view the Dialback database. 

10.3.3 Dialback from SLIP/PPP Mode 

To authenticate incoming PPP and SLIP callers using dialback, the site managing the incoming connection 
must have dialback enabled. Use the Define Site Authentication Dialback command. 

Figure 10-18: Enabling Dialback on a Site 

Local» DEFINE SITE irvine AUTHENTICATION DIALBACK ENABLED 



Ensure that the correct ports and telephone numbers are defined; the site will use the defined site- specific 
or port-specific telephone number to dial the incoming caller. See Telephone Numbers on page 3-14 for 
more information. 

10.3.4 Dialback Using CBCP 

The unit supports the Microsoft Callback Control Protocol (CBCP) for dial-in PPP clients that request it. In 
conjunction with CBCP, the unit may be configured to allow the PPP client to choose the dialback telephone 
number. This form of dialback is referred to as "insecure dialback" because it negates the usual security 
provided by dialback. It is primarily used to offer remote users a way to specify a dialback number to reverse 
telephone charges. 

Note: Insecure dialback may post a security risk. Use it with caution. 

After the CBCP-aware client has connected to the unit and has passed PPP authentication, and is optionally 
switched to a custom site, the unit will negotiate CBCP (this happens regardless of site dialback settings). 
Three callback options are available: 

♦ If dialback is disabled for the site, the connection will proceed without the dialback step. 
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♦ If normal dialback authentication is enabled for the site, the unit will offer to call the PPP client back 
at the site-specific telephone number listed in the dialback database. If the client refuses, the 
connection will be terminated. 

♦ If insecure dialback is enabled for the site, the PPP client can choose to use the site-specific telephone 
number or specify a different telephone number to use for the return call. If the client refuses to use 
the site' s telephone number and does not enter a valid alternate telephone number, the connection will 
be terminated. 

Note: The caller should have the alternate telephone number handy when connecting 
to the unit to ensure that the connection does not time out before the number can 
be entered. 

To configure a site to allow insecure dialback, enter the following command on the unit. 

Figure 10-19: Configuring Insecure Dialback 

I Local» DEFINE SITE irvine AUTHENTICATION DIALBACK INSECURE 



Note: Insecure dialback is only offered under CBCPfor PPP clients. It does not apply 
to SLIP or Local mode dialback situations. 

10.3.5 Potential Dialback Drawbacks 

The Dialback system does not absolutely guarantee security. Depending on the modem in use and its 
configuration, it may be possible for a determined attacker to penetrate the system. There are two windows 
of vulnerability where an attacker could gain unauthorized access to the unit. The first window exists after 
the unit hangs up the modem but before the modem dials the user back. The second is when a dialback 
attempt fails but before the server reaches the end of the configured carrier wait time-out period (the default 
setting is 60 seconds). Careful configuration and testing of the system during those short vulnerable periods 
is required to ensure a high level of security. 

If a second call arrives in the few moments after the server hangs up the modem but before the server issues 
the dial command, security may be breached. Until the modem goes "off hook," it may answer another 
incoming call and remain on-line, granting access to a possibly unauthorized user. This is highly unlikely 
and the chances of unauthorized access can be reduced further by configuring the modem to answer only 
after the second or third ring. Also, the modem must not answer the phone unless DTR is asserted. If 
possible, the modem should be configured to only dial after detecting a dial tone, and hang up otherwise. 

10.4 Database Configuration 

Six types of databases can store authentication information. The databases can be used in any order or 
combination, but no more than one of each type may be used. 

♦ Local authentication database stored in the unit's permanent memory (NVR) 

♦ Kerberos V4 server 

♦ RADIUS server 

♦ SecurlD ACE/Server 
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♦ UNIX password file, via TFTP 

The database search order is determined by each database or server' s precedence. When configuring 
database precedence, it makes sense to specify the location where the largest amount of username/password 
pairs is most likely to be found as the primary database. 

Note: See Database Search Order on page 10-26 for an example of database 
prcedence configuration. 

Precedence settings should be configured carefully. If a database is configured for a precedence slot that has 
already been filled by another database, it will take over the precedence setting and return all of the previous 
database type's settings to their factory defaults. 

Note: To check the database information, use the Show/Monitor/List Authentication on 
page -159 command. Databases are listed according to their precedence 
numbers. 

It is important to realize how the unit handles authentication look-ups. First, the unit does not examine the 
reasons for authentication failures. It simply notes the failure. Second, all configured authentication 
methods will be tried until one method succeeds or all methods have failed. If six databases are configured 
and the database with the first precedence denies the user access, there are still five possible chances for the 
user to pass authentication. Remember that when it comes to configuring multiple authentication methods, 
your unit' s security is only as strong as the weakest method configured. 

1 0.4.1 Local (NVR) Database 

The local database is stored in the unit NVR. Storing authentication locally offers the following advantages: 

♦ A network server is not required. 

♦ Local authentication functions even when the network is down. 

♦ Local authentication can execute and restrict user commands. 

♦ CHAP may be used for authentication. 
Disadvantages include: 

♦ The unit cannot share its databases with other servers. 

♦ The unit cannot share existing databases. 

♦ The local database is limited by the size of the server' s NVR. 

10.4.1.1 Specifying the Precedence 

A precedence must be specified in order to use the Local database. To specify the precedence, use the Set/ 
Define Authentication Local command. 

Figure 10-20: Specifying the Precedence 

I Local» DEFINE AUTHENTICATION LOCAL PRECEDENCE 1 
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10.4.1.2 Username/Password Pairs 

To add a username/password pair to the local database, use the Set/Define Authentication Local 

command. 

Figure 10-21: Adding User and Password to Local Database 

Local» DEFINE AUTHENTICATION USER "elmo" PASSWORD "badger" 

Note: All passwords are case sensitive. All usernames are case insensitive. 

10.4.1.3 Forcing Execution of Commands 

A command or series of commands may be associated with a particular username; the commands will be 
run when the user is successfully authenticated. For example, when user elmo logs into the unit, he will be 
automatically telnetted to host 192.0.1.67 and logged out of the unit. 

Figure 10-22: Forcing Commands 

| Local» DEFINE AUTHENTICATION USER "elmo" COMMAND "telnet 192.0.1.67; logout" 

Commands must be enclosed in quotes. If a series of commands is specified, they must be separated by 
semicolons. 

10.4.1 .4 Permitting Users to Change Their Passwords 

By default, users are not permitted to change their passwords. To enable a user to change his or her 
password, use the Set/Define Authentication User Alter command. 

Figure 10-23: Permitting User to Change Passwords 

Local» DEFINE AUTHENTICATION USER "elmo" ALTER ENABLED 

10.4.1 .5 Forcing Selection of a New Password 

Users may be forced to select a new password during their next login. This is useful when the user has 
forgotten his or her password, or to ensure that passwords are changed on a regular basis. 

Figure 10-24: Forcing a User's Password to Expire 

| Local» DEFINE AUTHENTICATION USER "elmo" EXPIRED 

10.4.1.6 Displaying the Local Database 

Local database entries can be checked with the Show/Monitor/List Authentication User command. All 
users, their passwords, and other parameters are listed. 

Note: See Show/Monitor/List Authentication on page -159. 

10.4.1.7 Purging the Local Database 

To remove a particular user from the database, use the Clear/Purge Authentication User command. See 
Clear/Purge Authentication on page -135 for a complete description of this command. 
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10.4.2 Kerberos 

The Kerberos Authentication Service is a network-based authentication service. Passwords are always 
transmitted in encrypted form. The unit supports Kerberos version 4. 

Kerberos is available as public-domain software and from commercial vendors. Please refer to your 
Kerberos server documentation for detailed information about setting up a Kerberos server, registering 
Kerberos clients, and administering a network that uses Kerberos. 

Kerberos advantages include the following: 

♦ Passwords are always encrypted; it is not possible to obtain a user's password by eavesdropping on 
a connection attempt. 

♦ Kerberos is a widely-accepted standard, and is proven to be secure. 

♦ The unit may easily be added to an existing Kerberos network. 

♦ A large number of users may be supported. 
Disadvantages include: 

♦ Configuring the Kerberos database can be complicated. 

♦ Kerberos only runs over IP. 

♦ Kerberos does not guard against guessing a user's password. 

♦ If the caller attempts to use CHAP for authentication, Kerberos cannot be used. 

Note: Kerberos authentication is case-sensitive. 

10.4.2.1 Configuring Kerberos 

1 Ensure that the unit clock is synchronized with the clock on the Kerberos server. The Kerberos 
authentication model attaches timestamps to the packets sent between the unit and Kerberos server to 
prevent replay attacks. The unit timestamp is only allowed to deviate 5 minutes from the Kerberos 
server clock before the packet is considered invalid, which would result in a failed authentication 
attempt. 

To synchronize the unit and the Kerberos clock, use the Set/Define IP Timeserver command: 

Figure 10-25: Synchronizing the Clocks 

Local» DEFINE IP TIMESERVER 192.0.1.110 

2 Designate a precedence number for the Kerberos server. 
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3 Configure the primary and secondary Kerberos server locations by IP address: 



Figure 10-26: Configuring Kerberos Precedence 



Local>> 


DEFINE 


AUTHENTICATION 


KERBEROS 


PRECEDENCE 2 


Local>> 


DEFINE 


AUTHENTICATION 


KERBEROS 


PRIMARY 192.0.1.52 


Local>> 


DEFINE 


AUTHENTICATION 


KERBEROS 


SECONDARY 192.0.1.53 



4 Configure the realm. The realm is the name of the Kerberos administrative region that defines the 
scope of client authentication data maintained by a Kerberos server. Most installations choose realm 
names that mirror their Internet domain name system. To specify the realm, use the Set/Define 
Authentication Kerberos Realm command. 

Figure 10-27: Configuring the Kerberos Realm 

Local» DEFINE AUTHENTICATION KERBEROS REALM PHRED.COM 



5 Configure the principle, instance, and authenticator that enable the Kerberos server to identify the 
unit. Principle, instance, and authenticator entries must be configured on the unit to match the 
corresponding entries on the Kerberos server. 

The default setting for the unit principle is rcmd; for the unit instance, the default setting is smc. 

The authenticator is the password for the principle/instance pair. It must be defined on the unit and 
the Kerberos server. A text string or an eight-byte hexadecimal value may be specified. 

To specify the unit principle, instance, and authenticator, use the Set/Define Authentication Kerberos 
command: 



Figure 10-28: Configuring the Principle, Instance, and Authenticator 



Local» 


DEFINE 


AUTHENTICATION 


KERBEROS 


PRINCIPLE "kerbauth" 


Local» 


DEFINE 


AUTHENTICATION 


KERBEROS 


INSTANCE "smcname" 


Local» 


DEFINE 


AUTHENTICATION 


KERBEROS 


AUTHENTICATOR "passwd" 


Local» 


DEFINE 


AUTHENTICATION 


KERBEROS 


AUTHENTICATOR 0x08FF6D3E97735421 



6 Configure the Key Version Number (KVNO). The key version number ensures that the unit and 
Kerberos server are using the correct authenticator for the defined princple/instance pair. A KVNO 
must be configured on the unit to match the KVNO on the Kerberos server. 

To configure the unit KVNO, use the Set/Define Authentication Kerberos KVNO command. 

Figure 10-29: Configuring the unit KVNO 

I Local» DEFINE AUTHENTICATION KERBEROS KVNO 1 



Note: By default, the KVNO is set to 1. 
For additional Kerberos configuration instructions, see Set/Define Authentication on page -137. 

10.4.3 RADIUS 

The unit supports the Remote Authentication for Dial-In User Services (RADIUS) protocol. RADIUS is a 
centrally-located client-server security system. 
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Note: The unit supports RADIUS as described in RFC 2058 and is intended to support 
future versions when they become available. 

RADIUS is geared towards large networks that have many communications servers, or many users for 
which explicit security measures must be enforced. Its advantages are: 

♦ Authentication information for multiple users, in multiple forms, can be stored in a single RADIUS 
server. 

♦ The RADIUS server can be part of a local or wide-area network. 

♦ RADIUS can be used with Kerberos and CHAP/PAP security. 

♦ Passwords are not transmitted across the network in readable form. 
Disadvantages include: 

♦ Keeping authentication information on one server can be dangerous; the server should be backed up 
regularly. 

♦ Those wishing to use RADIUS must use one of the database types that RADIUS supports (currently 
local RADIUS databases, UNIX password files, NIS files, Kerberos databases, and TACACS). 

♦ RADIUS servers are subject to security attacks from users already on the network. More information 
can be found in the RFC 2058 and in your RADIUS server's documentation. 

RADIUS consists of two parts: authentication and accounting. Authentication is handled by the RADIUS 
authentication server, which stores authentication information configured by the network administrator. 
Accounting is handled by the RADIUS accounting server, which stores statistical information about 
authenticated connections. RADIUS accounting and authentication can be implemented independently of 
one another. 

10.4.3.1 RADIUS Authentication 

The general process of unit user authentication using a RADIUS server is explained below. 

1 A user connects to the unit. The unit prompt the user for a username and password, or CHAP/PAP 
authentication information if CHAP or PAP is configured. 

2 The unit creates an Access-Request packet that includes the username/password pair, an 
identification string for the unit, the port being used for the modem connection, the port type, and 
other information as needed (see Authentication Attributes in Appendix C for more information). The 
unit then encrypts the password and sends the packet to the RADIUS authentication server. 

Note: CHAP responses sent from the user's PPP software to the unit are not encrypted 
beyond what is inherent to the operation of CHAP. 

3 The RADIUS authentication server decrypts the Access-Request packet and routes it to the 
appropriate security checking mechanism, such as a UNIX password file or Kerberos database. Based 
on the information returned from the security check. 
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A If authentication is successful, the server sends an authentication acknowledgement (Access-Ac- 
cept) packet to the unit. The packet may contain additional information about the user's network 
system and connection requirements, such as the type of connection required and filtering infor- 
mation. The user is connected to a site or destination node if appropriate. 

Note: See Appendix C, Supported RADIUS Attributes, for more information about 
using filters with RADIUS. 

B If authentication fails, the server sends an Access-Reject packet to the unit. The unit will move 
on to the authentication method at the next precedence level, or terminate the connection if all 
methods have been tried. 

C The server may be configured to send a challenge to the user after attempting to log in. If this is 
the case, the unit will print the server's challenge and prompt the user to enter a response. The 
user must respond to the challenge, at which time step 3 is repeated using the response in place 
of the password in the Access-Request Packet. 

Note: In order to respond to the challenge, the user must be in character mode which 
precludes the use of PAP or CHAP for authenticating the user. See RADIUS and 
Sites on page 10-14. 

To configure the unit for RADIUS authentication, use the Set/Define Authentication RADIUS commands. 
Figure 10-30: Configuring the unit to use RADIUS Authentication 

Local» DEFINE AUTHENTICATION RADIUS PRECDENCE 5 

Local» DEFINE AUTHENTICATION RADIUS PRIMARY 192.0.1.77 

Local» DEFINE AUTHENTICATION RADIUS SECONDARY 192.0.1.78 PORT 1620 



In the example above, the third command tells the unit to use port 1620 on the secondary RADIUS 
authentication server rather than the default RADIUS authentication port (port 1645). 

Note: See Set/Define Authentication RADIUS on page -141 for complete syntax and 
information. 

The secret string configured for the unit must match that of the RADIUS server being used for 
authentication. 

Figure 10-31 : Configuring the RADIUS Server 



Local» DEFINE AUTHENTICATION RADIUS SECRET "ok829dsnval843qx" 




For security reasons, it is recommended that you choose a secret string of at least 16 characters containing 
no obvious or easily-guessable items (such as names, phone numbers, or words that can be found in a 
dictionary). 



10.4.3.2 RADIUS and Sites 

When a user logs in via PPP or SLIP, the unit looks for a site that has the same name as the user. If it finds 
a matching site, it starts the site and modifies it with whatever additional setup information the RADIUS 
server sends it in its Access-Accept packet (see Step A under). If it does not find a matching site, it starts 
and modifies a copy of the default site. 

Note: Unless RADIUS specifically overrules a setting, the site's settings apply. 
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If a user logs in using local mode but the RADIUS server indicates that the user should be using PPP or 
SLIP, the Set Site sitename Logout command will be executed where sitename is the name of the RADIUS 
site created for this user. 

Note : Setting up sites for specific users should be done sparingly, and only when a user 
has special connection requirements that can 't be met otherwise. 

If, on the other hand, the RADIUS server detects that a user logging in via PPP should actually be a local 
mode user,the connection will be denied. The reason for this is two-fold: the user would not be able to return 
to the local prompt once in PPP mode, and allowing the connection may create a security hole. 

10.4.3.3 RADIUS Accounting 

A RADIUS accounting server creates an accounting log based on information that it gets from its client, 
such as an unit. The server also responds to the client so that the client knows its packets reached the 
accounting server intact. 

The unit sends four types of packets to the accounting server: 

Accounting-On Sent each time accounting is enabled or re-enabled on the unit, and when the 

unit boots with accounting enabled. 

Accounting-Start Send when a user logs into the unit. This type of packet includes the user' s 

name, port number, and current configuration. 

Note: EZWebCon users are logged as administrators. 

Accounting-Stop Send when a connection is logged out or otherwise terminated. This type of 
packet includes the user's name, reason for logout, length of connection, and 
the counts of bytes and packets sent and received. 

Accounting-Off Sent when accounting is disabled on the unit, and when the unit is about to shut 

down or reboot. 

Accounting-Start and Accounting-Stop packets contain session IDs that are used to match them together. In 
order to generate the proper session IDs, the unit must know the current time. It can be told the correct time 
by a timeserver (configured with Set/Define IP Timeserver) or by its internal clock (configured with Set/ 
Define Server Clock). If the current time is not set properly, accounting packets may carry non-unique 
session IDs and cause problems in the accounting log. 

Note: See Supported RADIUS Attributes, Appendix C, for more information on the 
types of information that are included in accounting packets. 

To configure the unit to send accounting information to the RADIUS accounting server, enter the Set/ 
Define Authentication RADIUS Accounting command. 

Figure 10-32: Configuring the unit to use RADIUS Accounting 

Local» DEFINE AUTHENTICATION RADIUS ACCOUNTING ENABLED 

Local» DEFINE AUTHENTICATION RADIUS ACCOUNTING PRIMARY 192.0.1.130 

Local» DEFINE AUTHENTICATION RADIUS ACCOUNTING SECONDARY 192.0.1.131 



The default RADIUS Accounting port is port 1646. A different port can be specified by adding the Port 
parameter to the command as shown in the third line of Figure 10-30. 
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10.4.4 SecurlD 

The unit supports the ACE/Server security system manufactured by Security Dynamics Technologies Inc. 
ACE/Server is a system of UNIX-based client-server software and accompanying token cards. 

Note: Refer to your Security Dynamics documentation for ACE/Server installation 
instructions. 

The SecurlD card generates single-use, unpredictable numereical codes. These "cardcodes," together with 
the user's PIN, form the basis of the SecurlD authentication. The PIN and generated cardcodes are referred 
to collectively as SecurlD passcodes. To gain access to a network protected by SecurlD, both elements of 
the passcode must be entered correctly. 

SecurlD advantages include the following: 

♦ Three items are required for authentication: the token card, PIN, and user ID. 

♦ The card's cardcode is constantly changing, thus changing the passcode that the user enters. 

♦ If someone eavesdrops on a connection attempt and obtains a passcode, the passcode will not be 
useful; a new passcode will be required in a few minutes. This enhances the security of Telnet 
connections. 

Disadvantages include: 

♦ If the caller attempts to use CHAP for authentication, SecurlD cannot be used. 

♦ Users are required to carry the token card. 

♦ SecurlD cannot be used for LAN to LAN connections, as the unit has no way to generate passcodes. 

♦ The SecurlD server must be configured. 

Note: Secur-ID authentication is case-sensitive. 

The Security Dynamics SecurlD system requires communication between the ACE/Server and the end-user. 
For example, the user must enter a new PIN when a SecurlD card is first used, and a second passcode when 
locked out. 

PAP does not allow for these types of messages or additional user input. Therefore, it is strongly 
recommended that SecurlD be run from character mode only. It is possible to use SecurlD with PAP, 
provided that situations like those mentioned above are either prevented or handled in text mode on the next 
call. 

10.4.4.1 Configuring SecurlD 

To log into the unit, the user must enter a username at the username prompt, and the passcode at the 
password prompt. 
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To specify the Secur-ID ACE/Server for authentication of username/passcodes, use the Set/Define 
Authentication SecurlD command: 



Figure 10-33: Configuring the unit to Use SecurlD 



Local>> 


DEFINE 


AUTHENTICATION 


SECURID 


PRECEDENCE 4 




Local>> 


DEFINE 


AUTHENTICATION 


SECURID 


PRIMARY 192.0 


1.50 


Local>> 


DEFINE 


AUTHENTICATION 


SECURID 


SECONDARY 192 


0.1.51 



After SecurlD is configured on the unit, the unit will receive further configuration information from the 
ACE/Server. However, this only happens the first time that the unit and ACE/Server communicate. If you 
purge the authentication information on the unit or change the precedence of SecurlD, this learned 
information will be lost. You will need to have your ACE/Server administrator reinitialize the unit with 
ACE/Server for SecurlD to function properly again. 

If SecurlD receives repeated authentication requests for an invalid username/password pair, it assumes that 
a login attack is taking place. SecurlD will react by continually slowing its responses to the unit. This 
problem can be avoided by ensuring that SecurlD has the highest precedence number. For example, if 
you're using SecurlD, Kerberos, and a UNIX password file, set SecurlD's precedence to 3. 

For additional SecurlD configuration instructions, see Set/Define Authentication SecurlD on page -144. 

10.4.5 UNIX Password File 

Trivial File Transfer Protocol (TFTP) can be used to retrieve files from remote systems. During 
authentication, the unit can TFTP a UNIX password file and check the username and password fields for 
the pair provided by a user. The unit cannot add, modify, or delete password file entries. 

Note: The TFTP file is stored in UNIX /etc/passwd format. It must be in a location 
reachable via TFTP. 

UNIX password files are advantageous because existing UNIX password files can be used. Their main 
disadvantage is that TFTP poses a security risk. If the unit can retrieve the file, chances are that other hosts 
on the network can retrieve the file and potentially crack the passwords. If your network is not trusted, you 
may not want to use TFTP authentication. 

Note: UNIX password file authentication is case-sensitive. 
To use a UNIX password file to authenticate users, use the Set/Define Authentication TFTP command: 



Figure 10-34: Configuring the unit to Use a UNIX Password File 



Local>> 


DEFINE 


AUTHENTICATION 


TFTP 


PRECDENCE 5 




Local>> 


DEFINE 


AUTHENTICATION 


TFTP 


PRIMARY 192.0 


1.50 


Local>> 


DEFINE 


AUTHENTICATION 


TFTP 


SECONDARY 192 


0.1.51 



Specify the full pathname of the password file using the Set/Define Authentication TFTP Filename 

command: 

Figure 10-35: Specifying the Pathname of the Password File 

I Local» DEFINE AUTHENTICATION TFTP FILENAME " /tf tpboot/passwd" 
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10,5 User Restrictions 

Individual unit users may be restricted in a number of ways. They may be prevented from using particular 
commands, forced to use a certain configuration, or forced to use a particular IP address. 

10.5.1 Privileged Commands 

Many of the unit commands require privileged user (superuser) status. To become the privileged user, use 
the Set Privileged command. The default privileged password is system. 

Figure 10-36: Set Privileged Command 



Local» SET PRIVILEGED 
Password> system (not echoed) 
Local>> 



Note: To change the privileged password, use the Set/Define Server Privileged 
Password command, described on page -108. 

Only one user may have privileged status at any time. If another user currently has privileged status, the Set 
Privileged Override command may be used to forcibly become the privileged user. To stop being the 
privileged user, use the Set Noprivileged command. 

10.5.2 Controlling Use of Set PPP/SLIP Commands 

In order for incoming callers to start PPP or SLIP with the Set PPP/SLIP commands, PPP or SLIP must be 
enabled on the port receiving the call. By default, PPP and SLIP are disabled. 

To enable or disable PPP or SLIP on a port, use the Set PPP/Set SLIP commands: 



Figure 10-37: Disabling PPP and SLIP 



Local>> 


DEFINE 


PORT 


2 


PPP DISABLED 


Local>> 


DEFINE 


PORT 


2 


SLIP DISABLED 



10.5.3 Securing a Port 

When a port is secure, users on that port will be prevented from editing many of the port's settings. In 
addition, they will only be able to display a limited amount of information using Show/Monitor/List 
commands. 

Note: Users logged in on secure ports cannot become privileged users. 

It is recommended to secure ports used for public use; for example, ports used for public dial-in modem 
pools. To secure a port, use the Set/Define Ports Security command: 

Figure 10-38: Securing a Port 

Local» DEFINE PORT 2 SECURITY ENABLED 



Note: The complete syntax of Set/Define Ports Security on page -61. 
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10.5.4 Locking a Port 

The Lock command may be used to secure a port without disconnecting sessions. When Lock is entered, 
the user will be prompted to enter a password. This port will then be locked until this password is used to 
unlock it. Figure 10-39 displays an example: 

Figure 10-39: Locking and Unlocking a Port 

Local> LOCK 

Password> donut (not echoed) 
Verif ication> donut (not echoed) 
Unlock password> donut (not echoed) 
Local> 



Note: Secure ports ( set using the Set/Define Ports Security command) cannot be 
locked. 

To unlock a port without the Lock password, a privileged user must use the Unlock Port command 
(discussed on page -75) or log out the port using the Logout command (discussed on page -35). Logout will 
disconnect all sessions. 

10.5.5 Forcing Execution of Commands 

When a username is entered in the local authentication database (NVR), a series of commands may be 
associated with that user. These commands will be executed when the user is successfully authenticated. 

To execute commands when the user logs into the unit, first ensure that authentication databases have been 
configured; see Database Configuration on page 10-8 for instructions. Then associate commands with the 
username using the Set/Define Authentication User Command command. The commands you specify 
will be executed when the user is successfully authenticated. 

Figure 10-40: Forcing User to Start a Particular Site 

I Local» DEFINE AUTHENTICATION USER bob COMMAND "SET PPP dialin_users ; logout" 



In the previous example, when user bob logs into the unit, he will automatically start PPP and run the site 
dialin_users. 

To ensure that the user is not left at the Local> prompt after the forced command finishes executing, the 
string ";logout" may be added. 

10.5.6 Restricting Multiple Authenticated Logins 

The Set/Define Authentication Unique Enabled command can be used to prevent a single PPP or Local 
mode user from making multiple authenticated connections to the unit. 

For example, imagine that ports 1 through 8 have authentication enabled, but ports 9 through 16 do not. If 
user george connects to port 2 and enters the correct password, he will be permitted to login. If, while george 
is connected to port2, another user tries to log into port3 using george as his username, he will be rejected. 
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Unique authentication applies only to ports that have authentication enabled. If user george connects to 
port2 and then attempts a second connection to port9, the second login will be allowed because port9 does 
not have authentication enabled. Similarly, if george attempts an authenticated login to port 2 after another 
user has logged into port9 with username george, he will succeeed (provided that he enters the correct 
password) because he is the first user to log in as george on an authenticated port. 

To enable unique authentication, enter the following command: 

Figure 10-41: Preventing Multiple Authenticated Logins By Single Users 

I Local» DEFINE AUTHENTICATION UNIQUE ENABLED 



10.5.7 Menu Mode 

For added security, ports may be configured to run menu mode. When a port is in menu mode, users that 
log into the port will be presented with a list of menu options. They will be limited to the choices listed on 
the menu, and will not be permitted to enter text commands. 

To set up a menu, use the Set/Define Menu command. For each menu entry, specify the option's numbered 
position in the table, the option name that will be listed, and the acutal command invoked when the user 
chooses that option. Option and command names must be enclosed in quotes. 

Figure 10-42: Adding Command Entry to Menu Mode 

I Local» DEFINE MENU 4 "Telnet irvine" "TELNET 192.0.1.53" 



It is a good idea to add a command to the menu that allows the user to log out of the server. 

Figure 10-43: Adding Logout Command to Menu 

Local» DEFINE MENU 10 "Exit" "Logout Port" 



To display the current menu, use theShow/Monitor/List Menu command. 

To enable menu mode on a particular port, use the Set/Define Ports Menu command. 

Figure 10-44: Configuring Port to Run Menu Mode 

Local» DEFINE PORT 2 MENU ENABLED 



10.5.8 IP Address Restriction 

To avoid routing problems and enhance security, the unit can restrict incoming remote networking callers 
to a particular address or range of addresses. 

Each site may specify a particular range of acceptable IP addresses. When an incoming caller requests to 
use a specific address, it will be compared to this range. If the address falls within the range, the connection 
will be permitted, if not, the connection attempt will fail. 
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To specify the beginning and end of the range, use the Define Site IP Remoteaddress command. Two 
addresses must be specified: the beginning of the range and the end of the range. 

Figure 10-45: Specifying Range of Addresses 

I Local» DEFINE SITE irvine IP REMOTEADDRESS 192.0.1.110 192.0.1.254 



Callers will not be permitted to use IP addresses with the host part of the address set to all zeroes or all ones. 
These addresses are reserved to identify broadcast packets. If the range that you specify includes such an 
address (for example, 192.4.5.0 or 192.4.5.255) and a caller requests this address, the connection will not 
be permitted. 

Note: For more information on IP address assignment, see IP Address Assignment on 
page 3-5. 

10.6 Network Restrictions 

10.6.1 Incoming Telnet/Rlogin Connections 

Incoming Telnet and Rlogin connections can be permitted without restriction, password protected, or 
prevented entirely. By default, incoming Telnet and Rlogin connections are permitted without entering the 
login password; to change this configuration, use the Set/Define Server Incoming command: 



Figure 10-46: Preventing Incoming Telnet/Rlogin Logins 



Local>> 


DEFINE 


SERVER 


INCOMING 


NONE 


Local>> 


DEFINE 


SERVER 


INCOMING 


PASSWORD 



Note : The complete syntax of the Set/Define Server Incoming command is discussed on 
page -105. 

In Figure 10-46, the first command prevents all incoming Telnet and Rlogin connections. The second 
command permits the connections, but requires that the login password be entered before the connection is 
permitted. 

10.6.2 Outgoing Rlogin Connections 

The Set/Define Server Rlogin setting controls whether or not outgoing Rlogin connections are permitted. 
By default, outgoing Rlogin is disabled; to change this setting, use the following command: 

Figure 10-47: Permitting Outgoing Rlogin Connections 

I Local» DEFINE SERVER RLOGIN ENABLED 



10.6.3 Limiting Port Access 

A port's access may be set to one of the following: dynamic, local, remote, or none. Dynamic permits both 
local and remote logins, local permits only local logins, and remote permits only remote logins. None 
prevents all incoming and outgoing connections; the port is unusable. 
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To configure a port's access setting, use the Set/Define Ports Access command. 

Figure 10-48: Configuring Connection Type 

Local» DEFINE PORT 2 ACCESS REMOTE 
Local» DEFINE PORT 2 ACCESS DYNAMIC 



Note: For more information about configuring a port's access, refer to Setting Port 
Access on page 7-1. 

10.6.4 Packet Filters and Firewalls 

Filters enable the unit to restrict packet traffic. Each filter specifies a particular rule, for example, only IP 
packets will be permitted passage. Packets that pass the filter will be forwarded; packets that don't will be 
discarded. 

Filters are organized into ordered filter lists, which are referenced by name. For example, a filter named 
firewall may permit forwarding of packets that match a particular IP rule, but deny passage to packets that 
match a generic rule. 

Note: For a complete explanation of filter rules, see Set/Define Filter on page -149. 
Filter lists are associated with sites. Sites use filter lists for the following purposes: 



Table 10-1 : Types of Filter Lists 


Type of Filter List 


Purpose 


Idle 


Determines whether the site will remain active. Packets that 
pass the filter will reset the site's idle timer, preventing the site 
from being timed out. 


Incoming 


Determines whether to forward incoming packets received 
from a remote site. Packets that pass the filter will be 
forwarded. 


Outgoing 


Determines whether to forward outgoing packets to a remote 
site. Packets that pass the filter will be forwarded. 


Startup 


Determines whether a site will initiate a connection to a 
remote site. When a packet passes the filter, the unit will 
initiate an outgoing connection. (If an outgoing connection 
currently exists, this filter will be ignored.) 



When a site with an associated filter list receives a packet, the unit will compare the packet against each 
filter starting with the first filter on the list. If the packet matches any of the filters, the packet will be 
forwarded or discarded to the filter's specification. If the packet does not match any of the filters in the list, 
it will not be forwarded. 

10.6.4.1 Filter Order 

The order that filters appear in a list is important. For example, consider the following filter list: 
♦ Allow any packets 
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♦ Deny all IP traffic matching a particular rule 

When this filter list is associated with a site, all packets will be forwarded. Packets will be compared to the 
first filter in the list, and all packets will match specification "any packets." Therefore, all packets will be 
forwarded without being compared to the second filter. 

Switching the order of the two filters will have very different effects. Examine the filter list below, where 
the order of the two filters is reversed. 

♦ Deny all IP traffic matching a particular rule 

♦ Allow any packets 

When this filter list is ued, any IP traffic matching the specified rule will be discarded. Therefore, some IP 
packets will be discarded without being compared to the second filter. 

10.6.4.2 Preventing All IP Traffic 

To prevent all IP packet traffic, you do not need to use a filter list. Instead, use the Define Site IP Disabled 
command. 

Figure 10-49: Preventing IP Packet Traffic 

Local» DEFINE SITE irvine IP DISABLED 



10.6.4.3 Setting Up a Filter List 

Configuring filter lists involves two primary steps: creating the filter list, and associating the list with a 
particular site. 

1 When a filter list is created, it must be assigned a name of no more than 12 characters. The remainder 
of the configuration consists of a series of rules that will filter packet traffic in a particular way. 

Use the Set/Define Filter command to create a new filter. 

Figure 10-50: Define Filter Command 

Local» DEFINE FILTER firewall ADD 1 DENY IP SRC 192.0.1.0 255.255.255.0 



Each rule is assigned a particular position in the filter list, denoted by a number. In Figure 10-50, the 
rule Deny IP will be added to the firewall filter in the first position of the list. If a position number 
isn't specified with the Set/Define Filter command, the rule will be added to the end of the filter list. 

Note: Set/Define Filter has many parameters, which are described in detail on page - 
149. 

2 A single filter list can be associated with many sites. Each site may use a filter list as an incoming, 
outgoing, startup, or idle filter. 

Note: Filter list types are described in Table 10-1 on page 10-22. 
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To associate a filter list with a site, use the Define Site Filter command. 

Figure 10-51 : Associating a Filter List With Sites 

Local» DEFINE SITE irvine FILTER IDLE firewall 
Local» DEFINE SITE dallas FILTER INCOMING firewall 

In Figure 10-51, filter firewall will be used as an idle filter for site irvine, and as an incoming filter 
for site dallas. 

Note: An example firewall is described in Creating a Firewall on page 10-29 

Note: Filters can also be used with RADIUS. See Filter-ID on page C-3 for more 
information. 

10.7 Event Logging 

Event logging enables a network administrator to track network and user activity. 

Logging can be configured at a number of levels. For example, one level of logging may record only system 
problems related to authentication, and another level may record all authentication activities (all 
passwords). 

10.7.1 Destination 

In order to use logging, the unit must be configured to send logging information to one of the following 
destinations: 

♦ A TCP/IP host running syslog 

♦ The unit memory 

♦ The unit serial console port, typically port 1 

To specify the logging destination, use the Set/Define LoggingDestination command: 

Figure 10-52: Specifying Logging Destination 

Local» DEFINE LOGGING DESTINATION CONSOLE 
Local» DEFINE LOGGING DESTINATION 192.0.1.5:1 
Local» DEFINE LOGGING DESTINATION betty : 

Note: The complete syntax of Set/Define Logging is given on page -155. 
A colon must be appended to the IP address or IP host name. Use of an IP address is suggested. 

To see logging information that is stored in the unit memory, enter the Show/Monitor/List Logging 
Memory command. The following command will display the log and update the display continuously. 

Figure 10-53: Displaying Logging Saved to Memory 

I Local» MONITOR LOGGING MEMORY 
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10.7.2 Logging Levels 

The following table lists the different areas that can be logged and the logging options available for each 
area: 

Table 10-2: Events Logged by the unit 



To Log Events 
Associated With: 


The Following Options are Available: 
(Numbers Reflect Logging Level) 






Svstem Problems 


An t \~t f nt i r*ii ti nn 


2 


Paihires and Sneeesses 




3 


All Logins and Logouts 




4 


Tnoorreet Passwords 




5 


All Passwords and RADTTTS Warnings 






Pnahled 


^.UllllllailUs 




Disabled 




1 


Problems 


111 QlhnpV 


2 


T Tnanthori7eH TTsers 




3 

-> 


DinlbneV Paihirec 




4 


Dialhaclc Successes 




5 


Dialhaek Attemnts 




6 


Modem Chat 




1 


Errors 


TP 

ir 


2 


Packets that Xritrtrer Remote Connections 

1 Ll^J\A^Li3 LlltlL .llliiii^l ±\A^111WH_- V--W1111^^ Ll WllJ 




3 


Routine Tahle/Tnterface Changes 




4 


Tncominp/Oiitpointr RTP Packets 

1.1 1L^ Willi llii/ V_7LLLiiWlllii IX 1 1 1 tl^JVt^Lj 




5 


Resulting Routine Table 




6 


Contents of All RIP Packets 




7 


Routed Packets 




1 


Problems 


Modems 


2 


Call Statistics Dump From Modem 




3 


Setup 






Enabled 


Networks 




Disabled 




1 


Local System Problems 


PPP 


2 


Remote System Problems 




3 


Negotiation Failures 
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Table 10-2: Events Logged by the unit 



To Log Events 


The Following Options are Available: 


Associated With: 


(Numbers Reflect Logging Level) 




4 


Negotiation Data 




5 


State Transitions 




6 


Full Debugging 






Enabled 


Printers 




Disabled 




1 


Usage Summary 


Sites 


2 


Detailed Usage Summary 




3 


Errors 




4 


Connections 




5 


Bandwidth 




6 


Network Addressing 




7 


Chat Scripts 




8 


Modems and Dialback 






Enabled 


System 




Disabled 



For example, to record all logins and send the information to the console port, use the following command: 

Figure 10-54: Logging All Logins 

Local» DEFINE LOGGING AUTHENTICATION 3 

Note: Caution: Logging passwords may compromise security. 

Each logging level logs all events associated with higher logging levels. For example, if logging level 6 is 
specified, the events associated with levels 1-5 will also be logged. 

To disable all logging, use the following command: 

Figure 10-55: Disabling Event Logging 

| Local» DEFINE LOGGING DESTINATION NONE 

10.8 Examples 

10.8.1 Database Search Order 

The unit must be configured for authentication using a UNIX password file. The configuration must meet 
the following criteria: 
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A large group of users is listed in a RADIUS authentication database. The RADIUS server's IP 
address is 192.0.1.55, and port 1640 is used rather than the default RADIUS authentication port. 



♦ 



♦ Two other groups of users are listed in UNIX password files; the files are on hosts 192.0.1.87 and 
192.0.1.99. 

♦ Any additional users will be added to the local database. 

♦ A RADIUS accounting server has been set up at host 192.0.1.176 to log accounting information. 
Figure 10-56 shows how to configure the unit in this situation: 

Figure 10-56: Configuring Database Order 



Local» DEFINE AUTHENTICATION RADIUS PRECEDENCE 2 

Local» DEFINE AUTHENTICATION RADIUS PRIMARY 192.0.1.55 PORT 1640 

Local» DEFINE AUTHENTICATION TFTP PRECEDENCE 3 

Local» DEFINE AUTHENTICATION TFTP PRIMARY 192.0.1.87 

Local» DEFINE AUTHENTICATION TFTP SECONDARY 192.0.1.99 

Local» DEFINE AUTHENTICATION LOCAL PRECEDENCE 4 

Local» DEFINE AUTHENTICATION RADIUS ACCOUNTING ENABLED 

Local» DEFINE AUTHENTICATION RADIUS ACCOUNTING PRIMARY 192.0.1.176 



10.8.2 Terminal User Forced to Execute Command 

Terminal user jerry does not have an existing account on UNIX. He will only use the unit to Telnet to his 
own remote host, venus. The following figure shows the commands necessary to add jerry to the local 
database. 

Figure 10-57: A Single User Entry 



Local» DEFINE AUTHENTICATION USER "jerry" PASSWORD "3no37" COMMAND "TELNET 
venus; LOGOUT" ALTER DISABLED 



When jerry connects to the unit, he is prompted for a login password, then his own username and password. 
When authenticated, he is automatically telnetted to host venus and logged out of the unit. 

Jerry will see the following: 

Figure 10-58: Results of User Authentication with Command 



Type HELP at the , Local_l>' prompt for assistance. 

Login password> badger (not echoed) 

Username> jerry 

Password> 3no37 (not echoed) 

Telnet/TCP protocol emulation v2.2 
SunOS UNIX (venus) 
Login :_ 
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A large number of users need to connect to the unit. These users must be authenticated. The unit must be 
configured to meet the following criteria: 

♦ All users will connect to port 2. 

♦ 50 users have their usernames and passwords stored in a UNIX password file. 

♦ Another 20 users are PPP users that share site pppUsers for their connections. This site's password 
is special. 

♦ There is one SLIP user that will use site SlipMan. This site has password exception; once the 
password is entered, the site must automatically enter SLIP mode. 

Port 2 must be configured to automatically detect PPP so that it can begin running PPP and CHAP when 
necessary. The port must not be dedicated to PPP, however, because other connections will be using the 
same port. 

In order to authenticate the SLIP user, SLIPdetect must be disabled. Figure 10-59 displays the commands 
necessary for this configuration: 

Figure 10-59: Authentication for Multiple Users 



Local» 


DEFINE 


AUTHENTICATION TFTP PRECEDENCE 1 


Local» 


DEFINE 


AUTHENTICATION TFTP PRIMARY 192.0.1.88 


Local» 


DEFINE 


PORT 


2 AUTHENTICATE ENABLED 


Local» 


DEFINE 


SITE 


PPPusers LOCAL "special" 


Local» 


DEFINE 


PORT 


2 PPPDETECT ENABLED 


Local» 


DEFINE 


PORT 


2 SLIPDETECT DISABLED 


Local» 


DEFINE 


SITE 


"SlipMan" IP REMOTEADDRESS 192.0.1 


Local» 


DEFINE 


SITE 


"SlipMan" LOCAL "exception" 


Local» 


DEFINE 


SITE 


"SlipMan" PROTOCOL SLIP 



10.8.4 Outgoing LAN to LAN Connection 

An unit in Dallas must connect to an unit in Seattle. The Dallas unit must be configured in the following 
manner: 

♦ The unit in Dallas must have a site for the connection to the Seattle unit. The site's name is Seattle. 

♦ PPP will be used for the connection. 

♦ PAP authentication will be used. 

♦ To authenticate itself, the unit in Dallas must send username dallas and password texas. 
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Figure 10-60: Configuring Remote Site Authentication 



Local>> 


DEFINE 


SITE 


Seattle 


AUTHENTICATION 


PAP ENABLED 


Local>> 


DEFINE 


SITE 


Seattle 


AUTHENTICATION 


USERNAME dallas 


Local» 


DEFINE 


SITE 




AUTHENTICATION 


REMOTE "texas" 



10.8.5 Creating a Firewall 

If your site involves an internet connection, it is a good idea to set up a firewall to augment current security. 
A firewall prevents outside users from freely accessing your network by controlling which services on your 
network are available to internet users. 

A local network consists of addresses 192.0.1.0 through 192.0.1.24. Site irvine is used to manage 
connections to this network. Irvine requires a firewall that does the following: 

♦ Prevents IP spoofing 

♦ Permits outgoing Telnet connections 

♦ Permits SMTP (Simple Mail Transfer Protocol) traffic to the local SMTP server, 192.0.1.102. The 
backup SMTP server is 192.0.1.103 

♦ Permits NNTP (Network News Transfer Protocol) traffic between the local NNTP server, 
192.0.1.104, and the remote NNTP server, 192.0.2.100 

♦ Permits outgoing FTP connections 

♦ Denies X-Windows traffic, but permits incoming TCP/IP traffic to ports 1023 and higher. 

♦ Permits DNS queries to the local Domain Name Server, 192.0.1.101 

♦ Permits ICMP (Internet Control Message Protocol) messages 

♦ Permits outgoing finger requests 

The firewall will be named fw_i. Packets that do not specifically match the filters in fw_i will be denied 
passage through the unit. 

Note: Due to the length of the commands in the following examples, the keywords 
Define and Filter are shortened to Def and Filt. 

The Set/Define Filter Create command is used to create the firewall. 

Figure 10-61 : Creating the Filter List 

Local» DEF FILT fw_i CREATE 
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To prevent IP spoofing, the Define Filter Add Deny IP SRC command is used. This filter will block any 
packets from an outside network that claim to have originated from the local network. This filter is placed 
at the beginning of the filter list; if it were not, spoofed IP packets could be permitted passage by filters 
positioned before this rule. 

Figure 10-62: Preventing IP Spoofing 

Local» DEF FILT fw_i ADD DENY IP SRC 255.255.255.0 192.0.1.0 



Note: The CERT advisory on IP spoofing is available from ftp://cert.org/pub/ 
cert _advisories/CA-9 5:01. IP. spoofing. 

To permit outgoing Telnet connections initiated from the local network, the following command is used: 

Figure 10-63: Permitting Outgoing Telnet Connections 

Local» DEF FILT fw_i ADD ALLOW IP TCP SPORT EQ TELNET DPORT GT 1023 ACK 



To permit SMTP traffic between the unit and the local and backup SMTP servers, the following commands 
are required: 



Figure 10-64: Permitting SMTP Traffic to SMTP Servers 



Local>> 


DEF 


FILT 


fw_ 


_i 


ADD 


ALLOW 


IP 


TCP 


DPORT 


EQ 


SMTP 


SPORT 


GT 


1023 


DST 


255 


255 


255 


255 




192.0.1 


102 








































Local>> 


DEF 


FILT 


fw_ 


_i 


ADD 


ALLOW 


IP 


TCP 


SPORT 


EQ 


SMTP 


DPORT 


GT 


1023 


ACK 


DST 


255 


255 


255 


255. 


192.0.1 


102 








































Local>> 


DEF 


FILT 


fw_ 


_i 


ADD 


ALLOW 


IP 


TCP 


DPORT 


EQ 


SMTP 


SPORT 


GT 


1023 


DST 


255 


255 


255 


255 




192.0.1 


103 








































Local>> 


DEF 


FILT 


fw_ 


_i 


ADD 


ALLOW 


IP 


TCP 


SPORT 


EQ 


SMTP 


DPORT 


GT 


1023 


ACK 


DST 


255 


255 


255 


255 


192.0.1 


103 









































To permit NNTP traffic between the local and remote NNTP servers, the following commands are required: 



Figure 10-65: Permitting Traffic Between NNTP Servers 



Local>> 


DEF 


FILT fw_ 


_i ADD ALLOW 


IP TCP DPORT 


EQ 


NNTP 


SPORT 


GT 


1023 


DST 


255 


255 


255 


255 


192.0.1 


104 


SRC 255 


255.255.255 


192.0.2.100 






















Local>> 


DEF 


FILT fw_ 


_i ADD ALLOW 


IP TCP SPORT 


EQ 


NNTP 


DPORT 


GT 


1023 


ACK 


DST 


255 


255 


255.255 


192.0.1 


104 


SRC 255 


255.255.255 


192.0.2.100 























To permit outgoing FTP connections, the following commands are used: 



Figure 10-66: Permitting Outgoing FTP Connections 



Local>> 


DEF FILT 


fw_i 


ADD ALLOW IP 


TCP 


SPORT EQ FTP 


DPORT GT 1023 ACK 


Local» 


DEF FILT 


fw_i 


ADD ALLOW IP 


TCP 


SPORT EQ FTPI 


3ATA DPORT GT 1023 
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The following three commands deny incoming X- Windows traffic to well-known ports 6000-6023, but 
permit incoming TCP/IP connections to ports greater than 1023. This configuration also allows PASV- 
mode FTP data. 



Figure 10-67: Controlling X-Windows Traffic 



Local>> 


DEF 


FILT 


fw_ 


_i 


ADD 


ALLOW IP TCP SPORT GT 1023 DPORT GT 6024 ACK 


Local>> 


DEF 


FILT 


fw_ 


_i 


ADD 


DENY IP TCP SPORT GT 1023 DPORT GE 6000 ACK 


Local>> 


DEF 


FILT 


fw_ 


_i 


ADD 


ALLOW IP TCP SPORT GT 1023 DPORT GT 1023 ACK 



The three commands below permit UDP- and TCP-based queries and answers to the local Domain Name 
Server: 



Figure 10-68: Permitting DNS Queries 



Local>> 


DEF 


FILT 


fw_i 


ADD 


ALLOW 


IP 


UDP 


DPORT 


EQ 


DNS 


DST 255.255.255.255 192.0.1.101 


Local>> 


DEF 


FILT 


fw_i 


ADD 


ALLOW 


IP 


TCP 


DPORT 


EQ 


DNS 


SPORT GT 1023 DST 255.255.255.255 


192.0.1 


101 






















Local>> 


DEF 


FILT 


f w_i 


ADD 


ALLOW 


IP 


TCP 


SPORT 


EQ 


DNS 


DPORT GT 1023 ACK DST 255.255.255.255 


192.0.1 


101 























To permit ICMP messages (except for redirect messages), a generic IP rule is defined: 



Figure 10-69: Permitting ICMP Messages 

Local» DEF FILT fw_i ADD ALLOW IP ICMP IPGENERIC OFFSET 0 MASK OxfOOOOOOO NE 0x50000000 



Outgoing finger requests are permitted and incoming requests are prevented using this command: 

Figure 10-70: Permitting Outgoing Finger Requests 



Local» DEF FILT fw_i ADD ALLOW IP TCP SPORT EQ FINGER DPORT GT 1023 ACK 




To use firewall fw_i as an incoming filter list for site irvine, the Define Site Filter Incoming command is 
used: 

Figure 10-71: Configuring a Firewall 

Local» DEF SITE irvine FILTER INCOMING fw_i 



10.8.6 Dialback 

An unit must be configured to prevent all users from connecting with the exception of two users, sam and 
paul. When sam and paul attempt to connect to the unit, the modem must dial them back to verify their 
identities. 
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Security 



The modem is connected to unit port 2, and there isn't a corresponding modem profile. The generic modem 
profile must be used. The following example assumes that modem profile type 3 is the generic modem 
profile (Use the List Modem command to view available modem profiles). 

Figure 10-72: Enabling Modem Handling/Selecting a Modem Type 

Local» DEFINE PORT 2 MODEM ENABLED 
Local» DEFINE PORT 2 MODEM TYPE 3 
%Info: Port speed changed to 57600. 
%Info: Port flow control changed to CTS . 



The following commands are used to configure dialback: 



Figure 10-73: Configuring Dialback 



Local» 


DEFINE 


PORT 2 DIALBACK ENABLED 


Local» 


DEFINE 


DIALBACK sam "123-4567" 


Local» 


DEFINE 


DIALBACK paul "867-5309" 


Local» 


DEFINE 


DIALBACK BYPASS DISABLED 


Local» 


LOGOUT 


PORT 2 



1 0.9 Troubleshooting 

To troubleshoot authentication problems, use event logging. To configure event logging, use the Set/Define 
Logging command, discussed on page -155. The following example assumes the terminal is connected to 
the console port (port 1). 

Figure 10-74: Configuring Authentication Event Logging 

Local» SET LOGGING DESTINATION CONSOLE 
Local» SET LOGGING AUTHENTICATION 4 

Fri Jan 26 13:44:40 1996 SMC_00DD12 : SYSTEM: notice: log closed 

Fri Jan 26 13:44:40 1996 SMC_00DD12 : SYSTEM : notice: syslog started 

Fri Jan 26 13:44:49 1996 SMC_00DD12 : AUTH: info: Denied Port 4 User john Password badpass 
Method Local 

Fri Jan 26 13:45:27 1996 SMC_00DD12: AUTH: info: Granted Port 4 User john Password goodpass 
Method Local 

Fri Jan 26 13:45:39 1996 SMC_00DD12 : AUTH: notice: Port 4 user john privilege password 
denied. 

Fri Jan 26 13:45:49 1996 SMC_00DD12 : AUTH: notice: Port 4 user john privilege password 
granted. 



10-32 



1 1 : Command Reference 



This chapter describes all commands that can be used with your Server. The sections are divided as follows: 

♦ Navigation/Help Commands on page -5, which covers commands that provide basic navigation, help, 
and global status. 

♦ IP Commands on page -15 

♦ Port Commands on page -33 

♦ Modem Commands on page -77 

♦ Service Commands on page -93 

♦ Server Commands on page -101 

♦ Site Commands on page -117 

♦ Security Commands on page -135 

11.1 Command Descriptions 

Each command description includes the following: 

♦ The command' s full syntax, shown in diagram form 

♦ Any restrictions on the command, such as whether you must be the privileged user to use it 

Note: For information on becoming the privileged user, see Set Privileged/ 
Noprivileged on page -69. 

♦ Potential errors that may be encountered when using the command 

♦ Descriptions of each associated parameter Multiple optional parameters can be entered on the same 
command line, subject to the maximum command line length of 312 characters. 

♦ Default settings, where applicable 

♦ Examples of the command 

♦ Cross-references to related commands 

1 1 .2 Command Types 

Commands are generally grouped into functionally- similar sets: Set/Define, Show/Monitor/List, and Clear/ 
Purge. There are subtle differences between each type of command, as explained below. 
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Set 

Changes the unit immediately but not permanently. To make the change permanent, enter the Save 
command. 

Define 

Changes the permanent characteristics of ports, servers, and services. 

Define Port and Define SLIP settings take effect after the current user logs out. Define Site takes 
effect when a site is started. Define Server, Define Telnet Host, and Define Service settings take 
effect when the unit is rebooted. 

Note: Most Define commands are documented with their corresponding Set 
commands, but some are listed separately under the Define keyword. 

Show 

Displays the current settings, those made using the Set command but not yet defined or saved as 
permanent changes. 

Monitor 

Displays current operating characteristics, which are updated every three seconds until a key is 
pressed. Monitor commands may only be used by the privileged user. 

List 

Displays settings that will take effect the next time the unit is rebooted. 

Note: Monitor and List commands are documented with their corresponding Show 
commands. 

Clear 

Removes an item immediately, but does not make a permanent change. 
Purge 

Removes an item permanently, but doesn't take effect until the unit is rebooted. 

Note: Most Purge commands are documented with their corresponding Clear 
commands, but some are listed separately under the Purge keyword. 

11.3 About Strings 

When a command calls for a string, the following two things must be taken into consideration. 

First, any user-entered strings should be enclosed in quotes to retain the case entered. If a string is not 
enclosed in quotes, it will be changed to all uppercase characters, and any spaces will cause the unit to 
interpret the different parts of the string as different command parameters. 

In addition, string lengths are generally limited to thirty-one alphanumeric characters for pathnames and file 
server names, fifteen alphanumeric characters for filenames, and six alphabetic characters for the privileged 
and login passwords. When a string differs from the norm, its limitations are noted. 
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11.4 Conventions Used in This Chapter 

The following conventions are used to explain the syntax of the commands: 

♦ Optional parameters are enclosed in brackets []; one or more of these parameters may be used, or the 
command can be used without adding any of these parameters. 

♦ Required parameters are enclosed in curly braces {}; one and only one of these parameters must be 
used. 

♦ User-supplied parameters, such as a particular port number or host name, are shown in italics. 
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1 1 .5 Navigation/Help Commands 

11.5.1 Apropos 



APROPOS keyword 



Displays commands containing the specified keyword. If a command containing the keyword cannot be 
found, the unit will display "nothing appropriate." 

The unit will not display all relevant commands. If there are analogout commands, such as Set Ports and 
Define Ports, only one will be shown (in this case, Set Ports). 



Restrictions 



Parameters 



Examples 
See Also 



Priviliged commands containing the specified keyword will only be displayed 
if you are currently the privileged user. 

keyword 

An alphanumeric string. You do not have to type thecomplete command 
keyword in order to get a response; partial strings will yield appropriate 
commands that contain that string. 

APROPOS SITE 

Help, page -8 



1 1 .5.2 Backwards 



BACKWARDS 



Switches sessions from the current session to the most recently started previous session. If there is only one 
active session, it resumes. Repeating the command will cycle you "backward" through the active sessions. 
If you search the beginning of the session list, entering this command returns you to the most recent session. 

See Also Forwards, page -7; Show/Monitor Sessions, page -74; Sessions, page 7-4 



11.5.3 Broadcast 





ALL 




BROADCAST^ 


PORTS PortNum 


■ message 




username 





Sends a message to another port, all ports, or a specific user on the server. Broadcast may only be used if 
broadcasts have been enabled on the server using the Set/Define Server Broadcast command. 
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Restrictions You must be the privileged user to use the All parameter. 



Errors 



Parameters 



Examples 
See Also 

11.5.4 CIs 



Secure users may not send broadcasts. 

An error will be returned if the port broadcasted to is flow controlled or if the 
server does not have broadcast enabled. The sender is notified if a message was 
not received. 

All 

Sends the message to all ports. 
Ports 

Specifies a particular port as recipient of the message. Must be used with the 
PortNum parameter. 

PortNum 

A particular unit port, 
username 

A particular user as recipient of this message, 
message 

One word, or several words, in quotes. The message will be sent exactly as 
typed if enclosed in quotes, or in uppercase if not. The message length is 
limited only by the length of the command line. 

Local» BROADCAST PORT 7 "ready for lunch?" 
Local» BROADCAST fred "Meeting in 10 minutes." 

Set/Define Server Broadcast, page -102; Rebooting the Unit, page 2-4 



CLS 



Clears the screen on your terminal device if the port is configured as Type ANSI. 
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11.5.5 Finger 



FINGER 



\username\ \_@host\ 
FINGER 



This command is based on the UNIX Finger command that displays local and remote users. 

If a username is specified, information about that username will be displayed. If the user @ hostname 
parameters are specified, information regarding user user on TCP/IP host host will be displayed. Using the 
Finger command without any parameters will display all current logins. 



Restrictions 

Errors 

Parameters 



Examples 



Secure users cannot use the finger command. 

An error is displayed if the host cannot be accessed. 

username 

A username. If this parameter is omitted, all users on the host will be displayed. 
@host 

The "at" character, followed by a hostname. 
Finger 

Displays a list of current processes. 

Local> FINGER BOB 
(shows user bob) 



Local> FINGER @ HYDRA 
(shows users on host hydra) 



See Also 



Local> FINGER bobghydra 
(shows user bob on hydra) 

Show/Monitor Users, page -115 



1 1 .5.6 Forwards 



FORWARDS 



Cycles forward through your sessions in the order displayed by the Show Sessions command. The next 
session on the list becomes the active session. If there is only one active session, the session will resume. If 
the bottom of the session list is reached (the most recently started session) and this command is entered, the 
session at the top of the session list is resumed. 

Errors An error is displayed if no sessions are active. 
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See Also 



Backwards, page -5;Set/Define Ports Forward Switch , page -51; Show/ 
Monitor Sessions, page -74; Sessions, page 7-4 



11.5.7 Help 



HELP \comman d\ \_parameter\ 



Accesses the Help system. Using the Help command without any parameters displays all available 
commands. Specifying a command gives information about that command a list of its parameters. 
Specifying a paremter gives information about the parameter, including any sub-parameters it may have. 



Restrictions 



Requires privileged user status to view help text. 



Parameters 



command 

A command name. 



parameter 

A parameter name. More than one parameter can be added to the Help 
command. 



Examples 



Local> HELP 

Local> HELP CONNECT 

Local> HELP DEFINE SERVER BROADCAST 



See Also 



Apropos, page -5 



11.5.8 Monitor 



MONITOR 



Displays current operating characteristics. The displayed information is updated every 3 seconds until a key 
is pressed. Each Monitor command and its parameters are documented together with the corresponding 
Show command. 

Restrictions You must be the privileged user to use this command. 



11.5.9 Netstat 



NETSTAT 



Displays the currently active network connections. This information is primarily meant for debugging 
network problems. 

Restrictions Secure users may not use this command. 
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11.5.10 Ping 



PING hostname 



Sends a TCP/IP request for an echo packet to another network host. This provides an easy way to test 
network connections to other TCP/IP hosts. In general, any host that supports TCP/IP will respond to the 
request if it is able, regardless of login restrictions, job load, or operating system. 

If there is no reply from the host, this may indicate a network or TCP/IP configuration problem. 

Parameters hostname 

Text name or IP address of the network host. 

Examples Locai> ping 192.0.1.23 

Local> PING HYDRA.LOCAL.NET 

See Also Your Installation Guide 

11.5.11 Resolve 



RESOLVE hostname 



Attempts to resolve a TCP/IP name from the local host table and/or network nameserver. 

Errors An error is returned to signal either that the attempted name service failed, or 

that the specified hostname is invalid. 

Parameters hostname 

A TCP/IP hostname. Hostnames are usually limited to 64 characters, so the 
string is limited to 64 characters. 
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11.5.12 Save 



AUTHENTICATION 
FILTER filtername 



IP 



ROUTER 
SECURITY 



PORT 



PortList 
ALL 
SERVER 



SERVICE 



name 
ALL 
SNMP 
LOGGING 
MENU 



Saves current configurations (made with the Set command) into the permanent database. This treats 
configurations as if they were made using the Define command. 

To easily make current changes permanent, use the Save command after you have configured the port 
service, server, or printer. This eliminates the need to issue a corresponding Define command for each Set 
command. 

Restrictions Requires privileged user status. 

Errors Save without a paremter is invalid. 

Parameters Authentication 

Saves authentication database preferences and the local authentication 
database. 



Filter 

Saves the packet filter settings for the specified filter. Must be used in 
conjunction with the filtername parameter. 

IP Router 

Saves the state of the IP router. 
IP Security 

Saves the current IP security table to the permanent database. 
Menu 

Saves all of the menu items setup using the Set Menu command to the 
permanent database. 

Port 

Saves the status of particular ports to the permanent database. 
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PortList 

A port number or list of ports. Port numbers should be separated with 
commands (for lists) or dashes (for ranges). 

All 

Saves the settings for all ports or services to the permanent database. 
Server 

Save all the server characteristics to the permanent database. 
Service 

Save the current characteristics of a local service to the permanent database. 

Note: No more than one service per port can be defined at any time; if more than one 
service is defined, the Save Service command may fail. 

name 

A service name. 
SNMP 

Saves all parameters associated with SNMP. 
Logging 

Saves the current logging configuration to the permanent database. 
Menu 

Saves all menu items setup using the Set Menu command (discussed on page 
-38) to the permanent database. 

Examples Locai» save port 2 

Local» SAVE SERVICE NTX 

See Also Command Types, page 11-1 



1 1 .5.1 3 Show/Monitor Queue 







PORT PortNum 




| SHOW 


> QUEUE < 


NODE nodename 




1 MONITOR 


ALL 

SERVICE ServiceName j 





Show Queue will display the entries in a connect queue, if it exists. Particular sets of queues or entries can 
be selected with the Port, Node, or Service parameters. All can also be specified to show all entries. 

Restrictions You must be the privileged user to use the Monitor command. 

Parameters Port 

Displays information for all queue entries that can be served by the specified 
port. Must be used in conjunction with the PortNum parameter. 

PortNum 

Specifies a particular unit port. 
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Node 

Displays information for all queue entries requested from the specified node. 
Must be used in conjunction with the nodename parameter. 

nodename 

Specifies a particular node. 
All 

Displays information for all ports and nodes. 
Note: All is the default setting for Show/Monitor Queue. 
Service 

Displays information for all queue entries for the local service specified with 
the ServiceName parameter. 

ServiceName 

Specifies a service name of up to 16 characters. 

Examples Local> SHOW QUEUE Port 6 

Local> MONITOR QUEUE SERVICE lab5 



1 1 .5.1 4 Show Version 



SHOW VERSION 



Displays the current version of the unit software. 

See Also Reloading Operational Software, page 2-5 

1 1 .5.1 5 Zero Counters 



ZERO COUNTERS 



ALL 
ETHERNET 
PORTPortNum 



This command is used to reset the counters for errors and other network and server events. 
Restrictions You must be the privileged user to zero some other port (or All). 



Parameters 



All 

Zeroes all Ethernet, TCP/IP, SLIP, and serial port counters. 
Ethernet 

Zeroes only Ethernet counters. 
Port 

Zeroes only the counters for events associated with a single serial port. 
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Note : In the absence of a PortNum or the All or Ethernet parameters, the configuration 
will affect the current port. 

Examples Locai» zero counters port 6 
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11.6 IP Commands 

1 1 .6.1 Clear/Purge Hosts 



CLEAR 
PURGE 



[TELNET] HOSTS 



ALL 

username 



Removes a TCP/IP host entry from the table of known hosts. If Clear is used and the host was seen 
through the rwho facility, it will reappear as soon as that machine broadcasts again. A host will also 
reappear if a user Connects to it. 



Restrictions 
Errors 

Parameters 



Examples 
See Also 



Requires privileged user status. 

Clear Telnet Hosts will fail if there are any active Telnet connections on the 
server. 

All 

Removes the names of all known hosts. 
HostName 

The name of a Telnet host to be removed. 

Local» CLEAR HOSTS alex 

Set/Define Hosts, page -19; Show/Monitor/List Hosts, page -29 



1 1 .6.2 Purge IP Ethernet 



PURGE IP ETHERNET num 



Removes the specified secondary Ethernet from the permanent memory. 
Restrictions Requires privileged user status. 



Parameters 



See Also 



num 



An integer specifying a secondary Ethernet. Numbering begins at 1 . 

Set/Define IP All/Ethernet, page -20; Show/Monitor/List IP Interface, page 
30 
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11.6.3 Purge IP Factory 



PURGE IP FACTORY 



Resets IP router options to their factory defaults. 

Restrictions Requires privileged user status. 

1 1 .6.4 Clear/Purge IP Route 



CLEAR 
PURGE 



IPROUTE J 



DEFAULT 

address 
ALL 



Removes a static IP route. 
Restrictions 
Parameters 



Examples 



See Also 



Requires privileged user status. 
Default 

Clears or purges default IP routes, 
address 

An IP address in standard numeric format (for example, 193.53.2.2). 
All 

Clears or purges static IP routes. 

Local» PURGE IP ROUTE 192.0.1.1 
Local» PURGE IP ROUTE DEFAULT 

Set/Define IP Route, page -25; Show/Monitor/List IP Routes, page -30; IP 
Routing, page 5-14 



1 1 .6.5 Clear/Purge IP Security 



CLEAR UpsECURITY J address 
PURGE J \ ALL 



Removes entries from the trusted router table. 

Restrictions Requires privileged user status. 
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Parameters 



Examples 
See Also 



address 

An IP address in standard numeric format (for example, 193.53.2.2). 
All 

Clears or purges the entire security table. 

Local» CLEAR IP SECURITY 192.0.1.2 

Set/Define IP Security, page -27; Show/Monitor/List IP, page -30; IP Address 
Restriction, page 10-20 



1 1 .6.6 Clear/Purge IP Trusted 



CLEAR UpxRTjSTED J address 
PURGE J \ ALL 



Removes all entries from the trusted router table. 



Restrictions 
Parameters 



Examples 
See Also 



You must be the privileged user to use this command, 
address 

An IP address in standard numeric format (for example, 193.53.2.2). 
All 

Clears or purges the entire security table. 

Local» PURGE IP TRUSTED 192.0.1.1 
Local» PURGE IP TRUSTED ALL 

Set/Define IP Trusted, page -29; Show/Monitor/List IP Trusted, page -30; 
Routing Tables, page 5-14 
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11.6.7 Send 



SEND 



AO 
AYT 

BRK 

EC 

EL 

GA 

IP 
NOP 
SYNCH 



Sends Telnet commands through a session. 

Note: This command is only functional for Telnet TCP connections. 

Parameters AO 

Abort Output. 

AYT 

Are You There 

BRK 

Break 

EC 

Erase Character 
EL 

Erase Line 
GA 

Go Ahead 



IP 

Interrupt Process 
NOP 

No Operation 

SYNCH 

Synchronize 
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11.6.8 Set/Define Hosts 



SET 
DEFINE 



[TELNET] HOSTS hostname IPaddress 



Associates a TCP/IP hostname with an IP address in the local host table, allowing you to use the text name 
for Telnet connections even if there is no name server to resolve it. If the given host name has already been 
configured, the new IP address will replace the previous value. 



Restrictions 

Errors 

Parameters 



Examples 
See Also 



Requires privileged user status. 

You will receive an error if you enter an IP address in a questionable format, 
hostname 

The hostname string you wish to define, limited to 64 alphanumeric characters 
with only 16 characters between any period delimiters. 

IPaddress 

Standard, numeric IP address of the machine referred to by the hostname. 

Local» SET HOST spectre 192.0.1.11 

Clear/Purge Hosts, page -15; Show/Monitor/List Hosts, page -29 
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1 1 .6.9 Set/Define IP All/Ethernet 



SET 



, {protocol] IP 

DEFINE J I ETHERNET Ethernum 



ALL 



DEFAULT 



TTL TTLnum 

ENABLED 



DISABLED 

MTU bytes 



PROXYY - ARP 



RIP 



ENABLED 
DISABLED 



LISTEN I ENABLED 
SEND J 1 DISABLED 

METRIC num 



TRUSTED 



ENABLED 
DISABLED 



SET [ [PROTOCOL] ip ETHERNET POOL \ Flrst last 
DEFINE L \ NONE 



Configures all interfaces on an Ethernet interface. 

Restrictions Requires privileged user status. 

Parameters All 

Configures all IP interfaces. 

Ethernet 

Configures an Ethernet interface. To specify the number of the Ethernet, the 
num parameter must be used. If no number is entered, the configuration will 
affect the primary interface. 

Note: Servers with one Ethernet port do not need the optional Ethernet num 
parameter; when omitted, it defaults to zero. 

Ethernum 

Enter the number of a specific secondary Ethernet interface. If a zero is 
entered, the configuration will affect the primary interface. 

TTL 

Sets the amount of time that the IP Time-To-Live value should be decremented 
by when routed through this interface. The specific amount must be set using 
the TTLnum parameter. 
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TTLnum 

An integer between 1 and 127, inclusive. 
Default 

If enabled, IP routing updates will advertise this router as the "default" route. 
Default is commonly used to avoid large routing tables when there is only one 
possible path to a large number of networks. 

MTU 

Sets the maximum Transmission Unit, or "packet size" for this interface. 
Packets larger than this value will be IP fragmented when transmitted. Must be 
used in conuunction with the bytes parameter, discussed below. 

bytes 

An integer between 40 and 1500, inclusive. 
Proxy-ARP 

If enabled, an ARP response will be sent in reply to ARP requests for non-local 
networks to which the unit knows a valid path. Commonly used to allow end 
hosts that don't understand routing or subnet masks to find a router. 

Pool 

Allocates a pool of IP addresses to dialin users. When Proxy-ARP is enabled, 
the unit will respond to ARP requests to all addresses in the pool. Must be used 
with the First and Last parameters, or with the None parameter. 

Note: The pool can be set to any size, but it makes sense to restrict it to the number of 
available serial ports. 

First 

Specifies the start of the range of IP addresses to be used. 
Last 

Specifies the end of the range of IP addresses to be used. 
None 

Disables use of the IP address pool. 
RIP 

Configures the IP Routing Information Protocol (RIP) for this interface. Must 
be used in conjunction with the Listen, Send, or Metric parameter. 

Listen 

Enables or disables RIP listening. 
Send 

Enables or disables RIP sending. 
Metric 

Configures the cost or "hop-count" of this interface, routes learned through this 
interface will have the value added to their metric. The value to be added must 
be specified using the num parameter. 
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Defaults 



num 

An integer between 1 and 16, inclusive. Commonly used to make a given 
interface less desirable for backup routing situations. 

Trusted 

When enabled, this interface will only listen to routing updates from routers 
specified by the Set/Define IP Trusted command. Otherwise, this interface 
will listen to all routing updates. 

Ethernet Interface number: 0 
TTLNum: 1 

Default, Proxy-ARP, and Trusted: Disabled 
MTU: 1500 bytes 
Listen and Send: Enabled 



Examples 



Local» DEFINE IP ALL MTU 1500 
Local» DEFINE IP ETHERNET MTU 1500 

Local» DEFINE IP ETHERNET POOL 192.0.1.50 192.0.1.59 



See Also 



Clear/Purge IP Trusted, page -17; Show/Monitor/List Hosts, page -29; IP 
Address Pools, page 5-4 



1 1 .6.1 0 Set/Define IP Create 



SET 
DEFINE 



[PROTOCOL] ip CREATE ETHERNET 0 IPaddress Netmask 



Creates a secondary interface — an interface that shares a physical device, such as an Ethernet port, but has 
a different IP address. The secondary interface is commonly used to allow more than one IP network on a 
given Ethernet. 



Restrictions 
Parameters 



Requires privileged user status. 
0 

The number zero respresents the primary Ethernet interface for which the 
secondary interfaces are created. The number zero must be included in the 
command. 

IPaddress 

An IP address in standard numeric format (for example, 193.0.1.50). 
Netmask 

A subnet mask; for example, 255.255.255.0. 



Examples 



Local» SET IP CREATE ETHERNET 0 192.73.220.183 255.255.255.0 
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1 1 .6.1 1 Set/Define IP Domain 



SET 



[PROTOCOL] IP DOMAIN. 
DEFINE | L J I NONE 



DomainName 



Sets the default domain suffix. This suffix is appended to host names during IP name resolution. 



Restrictions 
Parameters 



Defaults 
Examples 
See Also 



Requires privileged user status. 
DomainName 

A string of up to 64 characters. 
None 

Clears an existing domain suffix. 
None (no domain defined) 

Local>> SET IP DOMAIN your.domain.com 

Show/Monitor/List IP, page -30; Specifying a Default Domain Name, page 5-8 



1 1 .6.1 2 Set/Define IP Ethernet 

See Set/Define IP All/Ethernet, page -20. 

1 1 .6.1 3 Set/Define IP Host Limit 



SET \\ protocol] ip host [limit], 

DEFINE | L J L J I NONE 



Sets the maximum number of TCP/IP hosts that the unit will add to its host table as a result of Rwho and 
DNS lookups. Hosts from the preset host table are exempt from this limit. 



Restrictions 
Parameters 



Defaults 
See Also 



Requires privileged user status, 
num 

An integer between 0 and 200. 
None 

Clears any current host limit. 
Limit: 200 hosts 

Show/Monitor/List IP, page -30; Adding Hosts to the Host Table, page 5-9 
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1 1 .6.1 4 Set/Define IP IPaddress 



SET 
DEFINE 



[PROTOCOL] ip IPADDRESS address 



Specifies the server's IP address for TCP/IP connections. The address must be specified using the address 
parameter, described below. 



Restrictions 
Errors 

Parameters 
See Also 



Requires privileged user status. 

An error is returned if there are active connections to the unit. An error is 
returned if the address is in use by another node. 

address 

An IP address in standard numeric format (for example, 193.0.1.50). 
Show/Monitor/List IP, page -30; Setting the IP Address, page 5-2 



1 1 .6.1 5 Set/Define IP Loadhost 



SET 
DEFINE 



[PROTOCOL] ip [SECONDARY] LOADHOST address 



Specifies the IP address of the host used for TFTP loading. 
Restrictions Requires privileged user status. 



Parameters 



See Also 



address 

An IP address in standard numeric format (for example, 193.0.1.5). 
Set/Define Server Loadhost, page -105 



1 1 .6.1 6 Set/Define IP Nameserver 



SET 
DEFINE 



[PROTOCOL] IP [SECONDARY] NAMESERVER address 



Specifies the IP address of the local nameserving host for use on IP connections and NetBIOS connections 
that use IP. The host's address must be specified using the address parameter, described below. 



Restrictions 



Requires privileged user status. 
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Parameters address 

An IP address in standard numeric format (for example, 193.0.1.5). 

See Also Configuring the Domain Name Service (DNS), page 5-8 

11.6.17 Set/Define IP NBNS 



f PROTOCOL IP SECONDARY NBNS address 
DEFINE I L J L J 



Specifies the address of the NetBIOS Name Server (NBNS) used for NetBIOS over an IP network. NBNS 
addresses are passed via PPP to remote users who want to locate the name server dynamically. The unit does 
not use this information itself. 

Note: NBNS is also known as WINS. 

NetBIOS over IP can also use DNS; the nameserver address set with the Set/Define IP Nameserver 
command will also be passed on to remote node users who ask for them. 

Restrictions Requires privileged user status. 

Parameters address 

An IP address in standard numeric format (for example, 193.0.1.50). 

See Also Set/Define IP Nameserver, page -24; Configuring the Domain Name Service 

(DNS), page 5-8 

1 1 .6.1 8 Set/Define IP Route 



I SET I [PROTOCOL] IP ROUTeJ DEFAULT If NEXTROUTER rot 
[ DEFINE J L J [ destination J I SITE SiteName 



Configures a static route. Static routes are used to tell the IP router the path toward other IP networks that 
cannot be learned by a dynamic routing protocol such as RIP. Static routes commonly point to sites (see the 
Define Site commands), which represent the best path to the destination. The destination can be an IP 
network, a subnetwork, or a host. 

Restrictions Requires privileged user status. 
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Parameters Default 

Configures a default route. If an explicit route to a destination network doesn't 

exist, the packet will be routed according to the default route. 

Static default routes are used when another router is the designated default 
route. If this router is to advertise itself as the default router, see Set/Define IP 
All/Ethernet Default on page -20. 

destination 

An IP address in standard numeric form. 



Nextrouter 

Sets the router that packets to the destination will be sent to. 
router 

A router name or IP address. 



Note: If the route points to a site, use the Site parameter. 
Site 

Specifies the site that packets to the destination will be sent to. When a packet 
arrives for the destination, a connection will be formed to the specified site, if 
one does not currently exist. 

The site must be defined before a route can be created that points to the site. 
To configure a site, use the Define Site commands. 

SiteName 

A site name of up to 12 characters. 
Note: If the next "hop " is a router available on the LAN, use the Nextrouter parameter. 
num 

An ineger from 1 through 16 representing the metric for this route. 
Defaults Metric: 16 (unreachable) 

Examples Locai» set ip route 198.8.8.0 next 192.0.1.9 

See Also Clear/Purge IP Route, page -16; Show/Monitor/List IP Route, page -30; IP 

Routing, page 5-14 



1 1 .6.1 9 Set/Define IP Routing 



SET lr 1 ro DnirrTMr ENABLED 

r PROTOCOL IP ROUTING-^ 
DEFINE L J DISABLED 



Configures the routing of IP packets. If routing is disabled, any packets requiring routing on the unit will be 
rejected. The router will still learn routes via RIP (if enabled) for its own use. 
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Restrictions 
Defaults 
See Also 



Requires privileged user status. 
Enabled 

IP Routing, page 5-14 



1 1 .6.20 Set/Define IP Security 



SET 
DEFINE 



[PROTOCOL] IP SECURITY [ address \ 



BOTH 
INCOMING 
OUTGOING 



ENABLED 
DISABLED 



PRINTER 



PORTS PortList 

ENABLED 



DISABLED 



Adds or changes entries in the IP security table. 

Restrictions Requires privileged user status. 

Parameters address 

The IP address to be restricted. The address can be a full IP address, such as 
192.0.180, to restrict one address; it can also be expressed as a partial address, 
such as 192.0.1.255, to restrict whole subnetworks. 



An address with a 255 in any segment means the restriction applies to all the 
addresses in that range. Any address with a 0 in any segment implies Incoming 
and Outgoing Disabled for all ports. 

Both 

Restricts both logins from the network to the server and Telnet sessions to the 
network from the server. 



Incoming 

Restricts logins from the network into the server. 
Outgoing 

Restricts Telnet sessions from the network into the server. 



Ports 

A list of ports for which the restriction applies. To specify a port or list of ports, 
use the PortList parameter. If PortList is not specified, all physical and virtual 
ports apply. A port number of 0 i used to apply to the virtual (incoming login) 
ports. 
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Defaults 
Examples 



PortList 

A port or series of ports to be restricted. Multiple ports must be specified with 
a comma; ranges of ports must be specified with a dash (-). 

Printer 

Enables or disables LPR and RTEL printing from the specified host(s). 
Both Enabled, Printing Enabled 

Local» SET IP SECURITY ADDRESS 192.0.1.255 INCOMING ENABLED OUTGOING 
DISABLED 



See Also 



Local» SET IP SECURITY 134.0.1.255 PORT 3,5-7 

Clear/Purge IP Security, page -16; Show/Monitor/List IP Security, page -30; 
IP Security, page 5-12 



1 1 .6.21 Set/Define IP Subnet 



SET 
DEFINE 



[PROTOCOL] IP SUBNET [mask] address 



Specifies a subnet mask as an IP address. The mask must be specified using the address parameter. 
Restrictions Requires privileged user status. 



Parameters 



Examples 
See Also 



Mask 

Specifies a subnet mask. Must be used in conjunction with the address 
parameter. If a subnet mask isn't specified, a default subnet mask will be 
inferred from the server's current IP address. 

address 

An IP address in standard numeric format (for example, 255.255.192.0). 

Local» SET PROTOCOL IP SUBNET MASK 255.255.255.0 

IP Addresses, page 5-1 



1 1 .6.22 Set/Define IP Timeserver 



SET 
DEFINE 



[PROTOCOL] IP [SECONDARY] TIMESERVER address 



Configures a timeserver for the unit to use. The unit has no internal clock. The timserver's address must be 
specified using the address parameter. 
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Restrictions Requires privileged user status. 

Parameters address 

An IP address in standard numeric format (for example, 193.0.1.50). 

Secondary 

Specifies a backup timeserver. 

1 1 .6.23 Set/Define IP Trusted 



^PROTOCOL] IP TRUSTED address 
DEFINE J L J 



Configures a list of trusted routers. When Set/Define IP All/Ethernet Trusted is enabled, the unit will only 
listen to RIP updates from routers in this list. 

Restrictions Requires privileged user status. 

Parameters address 

An IP address in standard numeric format (for example, 193.0.1.50). 

See Also Set/Define IP All/Ethernet, page -20; Show/Monitor/List HostsTrusted, page - 

29; Clear/Purge IP Trusted, page -17; Types of Routes, page 5-15 

11.6.24 Show/Monitor/List Hosts 





SHOW 


• [telnet] hosts 


hostname 




■ 


MONITOR 


ALL 






LIST 




LOCAL 





Displays either the currently available TCP/IP (Telnet/Rlogin) hosts (Show) or the ones that have been 
Defined locally in the host table (List). Hosts will be shown with the method of discovery (rwho, 
connection, host table, etc.) and will also be marked if they are the current nameserver and/or gateway. 
Specifying a particular host name will show only that host's information. Wildcards for the hostnames are 
allowed. The All option is the default, and it displays all known TCP/IP hosts. 

Restrictions You must be the privileged user to use the Monitor command. 

Parameters hostname 

Specifies a particular TCP/IP host. 

All 

Displays all the TCP/IP nodes that this server currently knows about. These 
include hosts from the local host table, as well as hosts seen by Rwho 
broadcasts and those resolved after a Connect/Telnet request. 
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Examples 
See Also 



Local 

Displays local TCP/IP nodes. 
Local> SHOW HOSTS ALL 

Set/Define Hosts, page -19; Adding Hosts to the Host Table, page 5- 



11.6.25 Show/Monitor/List IP 



SHOW 
MONITOR 
LIST 



[protocols] ip 



INTERFACES 



ALL 
ROUTES 

ETHERNET [ num \ 

SiteName 
TRUSTED 
HASHTABLE 
SECURITY 



[CACHE] 



Displays the current operating characteristics of the targets. Use the List command to see the permanent 
attributes that will take effect upon reboot/login. 



Restrictions 
Parameters 



You must be the privileged user to use the Monitor command. 
[No Parameters] 

Entering the Show IP command without additional keywords will display 
general IP protocol information, including the following counters. 

The Reasons fields show counters in hexadecimal with the rightmost bit being 
0. For example, a Connect Failure Reason of 0040 represents 0000 0000 0100 
0000 in binary, which means that bit 6 is set. The meaning of each bit is 
explained in Table . 

Table 11-1: IP Failure and Message Reasons 



Bit 


Connect Failure 
Reasons 


Invalid Packet 
Reasons 


ICMP Message 
Reasons 


0 


Internal failure, should be 0 


Data received outside 
window 


Echo message received 


1 




Connection terminated 
abnormally 


Echo reply received 


2 


No nameserver denned (for 
text host name) 


Packet received with an 
invalid data checksum 


Destination unavailable; see 
bits 4-7 


3 


Attempted name service 
failed 


Packet received with an 
invalid data header 


Unknown ICMP type 
received 
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Table 11-1: IP Failure and Message Reasons 



Bit 


Connect Failure 
Reasons 

1 IwMwV/l Iw 


Invalid Packet 
Reasons 


ICMP Message 
Reasons 


4 


No gateway was configured 
for a non-local connection 


RST packet sent to remote 
node 


Network unreachable; 
usually from a gateway host 


5 


Attempted ARP failed 


Packet received for an 
unknown local user 


Host unreachable 


6 


Remote host did not answer 


TInused should he 0 


Port unreachable" usuallv due 
to failed name service 


7 


Remote host rejected the 
connection 




Protocol unreachable 


8-15 


Unused, should be 0 




Unused, should be 0 



All 

Displays all defined IP information. 



Routes 

Displays the IP routing table. 
Interfaces 

Displays IP router interfaces. To display IP router information about a specific 
interface, Interfaces may be used in conjunction with one of the following 
parameters: Ethernet, Cache, or SiteName. 

Ethernet 

Displays information about a particular Ethernet interface. To specify the 
interface, use the num parameter. 

num 

An integer specifying a particular Ethernet interface. 
SiteName 

A particular site whose IP information will be displayed. 
Cache 

Displays cache statistics. 
Trusted 

Displays trusted IP routers. 

Timeserver 

Displays the timeserver. 

Hashtable 

Displays the routing table's hash table statistics. 
Security 

Displays the active (Show, Monitor) or permanent (List) IP security entries. 
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Examples Locai> show ip hashtable 

Local» SHOW IP INTERFACES ETHERNET 
Local» SHOW IP INTERFACES ETHERNET 4 

See Also Netstat on page -8; IP Commands,beginning on page -15; Chapter 5, IP 
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1 1 ,7 Port Commands 

1 1 .7.1 Clear/Purge Menu 



CLEAR MENU ALL 
PURGE J l MenuNum 



Removes a specified menu entry or all menu entries. 



Restrictions 
Parameters 



Examples 



See Also 



Requires privileged user status. 
All 

Clears all menu entries. 
MenuNum 

An integer from 1 through 36 specifying a particular menu entry to be 
removed. 

Local» CLEAR MENU ALL 
Local» CLEAR MENU 2 

Set/Define Menu, page -38; Set/Define Ports Menu, page -54; Show/Monitor/ 
List Menu, page -72; Menu Mode, page -12 



11.7.2 Connect 



CONNECT 



TELNET 
TCP 



host Jjport] \jenvstring\ 



RLOGINhost^-p 0rt J [.-eMv^nng] \username\ 
LOCAL target \jenvstring] 



Establishes a connection with a TCP/IP host. If no hostname is specified, a connection to any preferred host 
is attempted. 

Note: The keyword " Connect" is not needed for Telnet or Rlogin connections, but must 
be included in the command for TCP or Local connections. 

A colon and session environment string can be added to the connect request (see Setting Session 
Characteristics on page 7-6). A colon and a port number can be added to the hostname for TCP/Telnet/ 
Rlogin sessions; in this case, the specified port number will be used for the connection. There should be no 
spaces between the hostname, colon, and port number or environment string. 
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Parameters Telnet 

The port is dedicated to the specified Telnet host. Must be used in conjunction 

with the host parameter. 
TCP 

Establishes a raw TCP connection to the host/port number specified. This is 
useful for non-standard applications that do not desire any interpretation of the 
data stream (for example, UUCP). 

Rlogin 

Forces an Rlogin connection to the remote host. Must be used in conjunction 
with the host parameter. May also take a username after the host parameter, 
in which case a username is sent to the remote Rlogin host. 

host 

Enter a text host name or an IP address in a standard numeric format (for 
example, 192.0.1.183). 

envstring 

Sets up the connection environment before the session is started. The string is 
constructed with a sequence of key letters, some of which are prefaced by 
either the "+" or The key letters are: 



D 


+D = Backspace mode 


-D = Delete mode 


E 


+E = Local Echo mode 


-E = Remote Echo mode 


1 


I = Interactive mode 




P 


+P = Passall mode 


-P = Passthru mode 


C 


+C = CR = CRLF 


-C = CR = LF 


T 


TCP mode (i.e. uninterpreted datastream) 


R 


Rlogin protocol (sets port number to 513 if not already set) 


Q 


Queued (i.e. RTEL) connections 



Local 

Establishes a connection to a local service or port specified with the target 
parameter. 

target 

A local service or port name. 

Local> CONNECT 

Local> CONNECT TELNET 145.34.35.11:245 
Local> CONNECT TCP labsun 
Local> CONNECT RLOGIN 145.34.35.14 
Local> CONNECT RLOGIN docserver mary 

Set/Define Ports Preferred, page -57; Disconnect, page -35; Preferred & 
Dedicated Services, page -8 



Examples 



See Also 
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11.7.3 Disconnect 



DISCONNECT 



[SESSION] session 
ALL 



Terminates the current session (if no session is specified), the specified session, or all sessions. 



Examples 
See Also 



Local> DISCONNECT 

Local> DISCONNECT SESSION 3 

Connect, page -33; Show/Monitor Sessions, page -74; Exiting Sessions, page ■ 
5 



11.7.4 Lock 



LOCK 



Locks a port without disconnecting sessions. When you enter this command, you will be queried for a 
password (6 alphanumeric characters maximum) and asked to verify it. The port is then locked until that 
password is used to unlock it. If a user forgets the password, the privileged user must either logout the port 
using the Logout command (disconnecting all sessions) or use the Unlock Port command. 

Note: The password and verification are not displayed as the user types them. 
Restrictions Secure users may not lock their ports. 

Examples Locai> lock 

Password> donut 
Verif ication> donut 



See Also 



Unlock password> donut 
Local> 



Set/Define Server Lock, page -106; Unlock Port, page -75; Logout, page -35; 
Set/Define Ports Security, page -61; Locking a Port, page -9 



11.7.5 Logout 



LOGOUT 


PORTPortlist 






SlTESiteName 









Logs out a port or a site on the server. Active sessions are disconnected, and all site circuits are closed. 
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Restrictions Only privileged users can log out a port or site other than their own. 

Parameters Port 

Logs out the list of ports specified with the PortList parameter. 

PortList 

Specifies a port or series of ports to be logged out. Multiple ports must be 
separated by commas (for lists) or dashes (for ranges). 

Note: If the PortList parameter isn't specified, the current port will be logged out. 
Site 

Logs out a site, closing all circuits. Must be used in conjunction with the 
SiteName parameter. 

SiteName 

A site name of up to 12 characters. 
Examples Locai> logout 

Local» LOGOUT PORT 2,4-6 

See Also Automatic Logouts, page -11 



11.7.6 Mode 



MODE [cOMSerPort-] baudrate 


,parity 


,charsize [ lSt0 pbits\ 





Immediately and permanently configures the serial port parameters. Mode is provided for DOS 
compatability. 

Note: There should be no spaces between user-entered parameters (see examples 
below). 

Restrictions Requires privileged user status. 

Parameters SerPort 

A serial port number. 

b dud r<i tc 

One of the following baud rates: 300, 600, 1200, 2400, 4800, 9600, 19200, 
38400, 57600, 115200, or 230400. 

parity 

One of the following parity settings: Odd, Even, or None. 

charsize 

7 or 8. 



stopbits 

1 or 2. 
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Examples Local> MODE COM2:9600,odd, 7 

See Also Set/Define Ports Character Size, page -46; Set/Define Ports Parity, page -55; 

Set/Define Ports Speed on page -64; Port Modes, page -3 



11.7.7 Purge Port 




Resets a port to the factory default PPP or Modem settings, but without affecting any other port settings. 
When used without the PPP or Modem parameters, both PPP and Modem settings are purged. 



Restrictions 
Parameters 



See Also 



Requires privileged user status. 



PPP 



Resets all Link Control Protocol parameters on the specified port. 
Modem 

Clears the specified port' s modem init information. 
PortNum 

Specifies a particular unit port. 

Show/Monitor/List Ports on page -72; Port Commands, page -33 



11.7.8 Resume 



RESUME [sESSION numbe^ 



Leaves character (Local>) mode and resumes the current (active) session. To resume a session other than 
the current one, specify a session number with the number parameter. 



Errors 
Parameters 

Examples 
See Also 



An error is returned if there are no active or defined sessions, 
number 

A session number, which can range from one to the total number of sessions 
that you currently have open. 

Local> RESUME 

Local> RESUME SESSION 4 

Switching Between Sessions, page -5 
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11.7.9 Rlogin 



RLOGIN keyword 



Requests an Rlogin connection to a specified host, or the preferred TCP host if no host is specified. 
Note: Rlogin is an abbreviation for Connect Rlogin, described on page -33. 

Errors An error is returned if Rlogin is not enabled. Secure users may only use the 

Rlogin command if it has been enabled by the server by a privileged user. 

Parameters hostname 

A text hostname or an IP address in standard numeric format (for example, 
192.0.1.183). 



See Also 



username 

A username to use as the login name. 

Connect, page -33; Set/Define Ports Password, page -56; Telnet and Rlogin 
Sessions, page -10 



11.7.10 Set/Define Menu 



SET IlOGGING^ l tem Num String Command 
DEFINE J 1 TITLE TitleString 



Configures individual Menu Mode menu choices and the menu's title banner. 

Note: You should add a menu entry that allows users to log out. this can be 

accomplished by adding a "Logout Port" command to the end of the menu. 

Restrictions Requires privileged user status. 

Parameters ItemNum 

A number (1 through 36) and corresponds to the menu entry you are changing. 

String 

A text string, up to 32 characters long, that is displayed to users in the menu 
screen. 

Command 

A string of text, up to 32 characters long, that is displayed to users in the menu 
screen. 

TitleString 

An optional title for the entire menu, up to 48 characters long. 



Examples 



Local» SET MENU 5 "SHOW SET NODES" SHOW HOSTS" 
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See Also 



Show/Monitor/List Menu, page -72; Clear/Purge Menu, page -33; Menu 
Mode, page -12; Menu Mode, page -20 



1 1 .7.1 1 Set Noprivileged 

See Set Privileged/Noprivileged. 

1 1 .7.1 2 Set/Define Ports Access 









DYNAMIC 




I SET l PORXS 


PortList 


ACCESS< 


LOCAL 




[ DEFINE J 


ALL 




NONE 










REMOTE 





Sets the type of incoming connections allowed through the physical port. 



Restrictions 
Errors 

Parameters 



Requires privileged user status. 

If a port is active, its access cannot be set. 

Autobaud must be disabled for Remote and Dynamic ports. 

PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas for lists or dashes for ranges. 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Dynamic 

The ports can receive connection requests from local and remote users. 
Local 

The ports can only accept connection requests from local users (those 
connected to the serial ports). No remote logins are permitted. 

None 

The specified ports are unusable. 
Remote 

The specified ports accept only network connection requests. No local logins 
are permitted. 

Defaults Dynamic 

Examples Locai» define ports all access local 
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See Also 



Setting Port Access, page -1; Limiting Port Access, page -21 



1 1 .7.1 3 Set/Define Ports Authenticate 



| SET 


jpORTS 


PortList 


1 DEFINE 




ALL 



AUTHENTICATE 



ENABLED 
DISABLED 



When enabled, prompts incoming user for a username and password to be checked against the 
authentication database(s) set up with the Set/Define Authentication commands. 



Restrictions 
Parameters 



Requires privileged user status. 
PortList/AII 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults Disabled 

See Also Clear/Purge Authentication, page -135; Set/Define Authentication, page -137; 

Show/Monitor/List Authentication, page -159; Ports Not Using Automatic 
Protocol Detection, page -11; Port Restrictions, page -9 

1 1 .7.1 4 Set/Define Ports Autobaud 



SET 


jpORTS 


PortList 


DEFINE 




ALL 



AUTOBAUD 



ENABLED 
DISABLED 



Enables a port to detect the incoming baud rate and change its own to match at login time. Autobaud must 
be disabled for Remote and Dynamic port access and for any port offering a service. 

Note: When Autobaud is enabled, you may have to press Return twice or more to allow 
the port to determine the baud rate. 

Restrictions Requires privileged user status. 
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Errors Autobaud and Autostart cannot be used together. If you try to configure both 

options, you will get a message saying that the previously configured option 
was disabled. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 



Defaults 
Examples 
See Also 



Autobaud works for most baud rates when both ends of the line are the same 
parity, or when the port is set to 8 bits with no parity and the incoming 
connection is 7 bits with even parity. Baud rates must be within 3 "steps" of 
each other, 9600 to 38400 will work, but 9600 to 1 15200 will not. 

Disabled 

Local» DEFINE PORTS AUTOBAUD DISABLED 

Configure Modems, page -15; Modem Speeds, page -1 



1 1 .7.1 5 Set/Define Ports Autoconnect 













| SET 


jpORTS 


PortList 


AUTOCONNECT"j 


ENABLED 1 


1 DEFINE 




ALL 




DISABLED J 



If enabled, the port connects automatically to the preferred service upon login. To exit to character (Local> 
) mode, the Break command can be used. To attach other services, the Connect command can be used. 

Restrictions Requires privileged user status to use this command on ports other than your 

own. Secure users may not use this command. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults Disabled 

Examples Locai» set ports autoconnect enabled 
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See Also 



Set/Define Ports Preferred, page -57 



1 1 .7.1 6 Set/Define Ports Autostart 



| SET 


jpORTS 


PortList 


1 DEFINE 




ALL 



AUTOSTART 



ENABLED 
DISABLED 



CHARACTER 



SAVE 



x 

ANY 
NONE 

1 

2 

NONE 



y 

ANY 



Determines whether the specified port will wait for a carriage return or pre-set character(s) before starting 
a connection. Enabling Autostart causes the port to start connections automatically. Autostart can also be 
configured to allow a user-defined sequence of one or two characters to initiate sessions. 

If the port is in Dedicated mode, the autostart characters can be sent to the host as the first bytes of data. In 
all other modes, autostart characters are discarded. 



Restrictions 
Errors 



Parameters 



Requires privileged user status. 

Autostart and Autobaud are incompatible. If the port is set for Autobaud, 
enabling Autostart will disable Autobaud and produce an error message. 

The Save parameter is only applicable when the port is configured with a 
dedicated host. 

If Modem Control is enabled, a port enabled for autostart will not be idle unless 
DSR is held low, and therefore will not be available for connections from the 
network. 

PortList/AII 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 
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Character 

Sets a character that will cause a login event. Users will get the benefit of 
Autostart without having to hit Return or enable Autostart for extended periods 
of time. 

x 

Enter the desired alphanumeric character. To specify a control character, use 
escaped hex (\xx). For example, Ctrl-B (ASCII character 0x02) would be 
specified as \02. 

y 

Enter the optional second alphanumeric character. To specify a control 
character, use escaped hex (\xx). For example, Ctrl-B (ASCII character 0x02) 
would be specified as \02. 

Any 

Sets a wildcard character. 
None 

Clears the autostart character. 
Save 

Specifies what happens to the characters that start the connection. Either the 
first and/or second autostart characters will be passed to the host as the first 
bytes of data, or the characters will be discarded. 

None 

Discards the autostart characters. 
Defaults Disabled 

Examples Locai> define ports 2 autostart enabled 

Local> DEFINE PORT 1 AUTOSTART CHARACTER A 
Local> DEFINE PORT 1 AUTOSTART SAVE 1 

See Also Starting Automatically, page -2 

1 1 .7.1 7 Set/Define Ports Backward Switch 



| SET 


jpORTS 


PortList 


BACKWARD 


1 DEFINE 




ALL 





character 
NONE 



Defines a "backward" key. From character (Local>) mode, typing this key functions as if the Backward 
command was entered; the user may switch to the previous session without entering character mode. 
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Any key can be specified unless it conflicts with line editing or the Break or Forward keys. The key 

you specify will be stripped from the data stream, so while it won't interfere with remote operating systems, 

you will lose any functionality that key would have on local programs. 

Restrictions Requires privileged user status if you want to use this command on ports other 

than your own. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Switch 

Defines the control character. Must be used in conjunction with the character 
parameter. 

character 

The character to be used as the backward switch. To specify a control 
character, use escaped hex (\xx). For example, Ctrl-B (ASCII character 0x02) 
would be specified as \02. 

None 

Clears the current switch character. 



Defaults None configured 

Examples Locai» set port 2 backward switch \02 

See Also Backwards, page -5; Set/Define Ports Forward Switch, page -51; Set/Define 

Ports Local Switch, page -53; Switching Between Sessions, page -5 



1 1 .7.1 8 Set/Define Ports Break 



| SET 








LOCAL 




jpORTS 


PortList 


BREAK < 


REMOTE 
DISABLED 




1 DEFINE 




ALL 







Determines where processing of the Break key will take place. 

Restrictions Requires privileged user status if you want to use this command on ports other 

than your own. Secure users may not use this command. 
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Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Local 

Pressing the Break key will return to character (Local>) mode. 
Remote 

The Break key is ignored by the unit and passed through to the remote service. 
Disabled 

Pressing the Break key does nothing. 
Defaults Local 

See Also Set/Define Ports Backward Switch, page -43: Set/Define Ports Forward 

Switch, page -51: Set/Define Ports Local Switch, page -53: Exiting Sessions, 
page -5 



1 1 .7.1 9 Set/Define Ports Broadcast 



SET 


jpORTS 


PortList 


DEFINE 




ALL 



BROADCAST 



ENABLED 
DISABLED 



Enables or disables other users' broadcasts to this port. Broadcasts are typically disabled when extra 
messags are not desired on the port's output device. 

Restrictions Requires privileged user status if you want to use this command on ports other 

than your own. Secure users may not use this command. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults Enabled 

Examples Locai» set ports broadcast enabled 
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See Also Broadcast, page -5; Set/Define Server Broadcast, page -102 

1 1 .7.20 Set/Define Ports Character Size 



| SET 


jpORTS 


PortList 


1 DEFINE 




ALL 



CHARACTER [ SIZE ] 



ENABLED 
DISABLED 



Sets the number of bits per character for the serial port 
Restrictions 



Errors 
Parameters 



Requires privileged user status if you want to use this command on ports other 
than your own. Secure users may not use this command. 

Autobaud only works for 8 bits, or for 7 bits with even parity. 

PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Size 

Character size must be either 7 or 8 bits. 
Defaults 8 bits 

Examples Locai» set ports character size 7 

See Also Set/Define Ports Autobaud, page -40; Set/Define Ports Parity, page -55; 

Chapter 8, Modems 

1 1 .7.21 Set/Define Ports Command Completion 













j SET 


jpORTS 


PortList 


COMMAND [COMPLETION] 


ENABLED 1 


1 DEFINE 




ALL 


, DISABLED J 



Enables or disables the command completion feature. If enabled, the unit will attempt to complete partially- 
typed command words when the user presses the Space or Tab keys. 
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Restrictions 



Errors 



Parameters 



Requires privileged user status if you want to use this command on ports other 
than your own. 

If the partially-entered command is ambiguous (or if you are typing an optional 
string), the unit sends a beep to the terminal. 

PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults Disabled 

Examples Locai» set ports command enabled 



1 1 .7.22 Define Ports Dedicated 









NONE 




DEFINE PORTS 


PortList 
ALL 


DEDICATED < 


{r!oZ}^ [;M ^ ] 





Sets up a dedicated Telnet host or service that the specified port will connect to whenever it is logged in. If 
you are logged in to a dedicated port, you will be logged off the server when the remote service is logged out. 

If the port is dedicated to a Telnet host, an environment string can be part of the dedicated host name. There 
should be no spaces between the hostname, colon, and environment string. 

Note: Dedicating all unitports is dangerous, as it leaves no easy way to log into the 
server. (In other words, users can no longer quickly access the Local> prompt.) 
If all ports are dedicated, users must connect via the console ports, or the unit 
must have incoming logins enabled. 

Restrictions Requires privileged user status. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 
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Telnet 

The port is dedicated to this Telnet host. Must be used in conjunction with the 
host parameter. 

Rlogin 

The port is dedicated to this Rlogin host. Must be used in conjunction with the 
host parameter. 

None 

Clears any existing Dedicated service, 
host 

A text host name or an IP address in standard numeric format (for example, 
192.0.1.183). 

EnvString 

Sets up the connection environment before the session is started. The string is 
constructed with a sequence of key letters, some of which are prefaced by 
either "+" or The key letters are: (VERIFY) 

Examples Locai» define port 5 dedicated 192.0.1.221 

Local» DEFINE PORT 2 DEDICATED irvine:+D 

See Also Connect, page -33; Set/Define Ports Preferred, page -57; Define Ports 

PPPdetect, page -60; Set/Define Ports SLIPdetect, page -64; Show/Monitor/ 
List Ports, page -72; Setting Session Characteristics, page -6 

1 1 .7.23 Define Ports Dialback 



DEFINE PORTS 



PortList 
ALL 



DIALBACK 



ENABLED 
DISABLED 



Turning on Dialback causes the unit to check the dialback table (see Set/Define Dialback) each time a user 
logs in. If the entered username is not in the table, the port is logged out. If the username is in the table, the 
port is logged out and the unit sends the dialback string to the port and awaits a second login. Typically, the 
dialback string will cause the modem attached to the port to call the userback at a certain telephone number 
for security reasons. Ports with dialback enabled have a 30-second time limit for entering the username 
when logging in. 

In order to use Dialback functionality, modem control must be enabled, and a modem profile must be 
associated with the port. When Dialback is enabled, Modem Control is enabled by default. However, 
disabling Dialback does not disable Modem Control; Modem Control must explicitly be disabled if so 
desired. 

Restrictions Requires privileged user status. 
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Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Examples Locai» define port 3 dialback enabled 

See Also Set/Define Dialback, page -148; Show/Monitor/List Dialback, page -159; 

Define Ports Modem Control, page -82; Define Ports Modem Type, page -91; 
Show/Monitor/List Ports, page -72; Dialback, page -12; Dialback, page -5 



1 1 .7.24 Set/Define Ports DSRLogout 













| SET 


• PORTS 


PortList 


DSRLOGOUT - 


ENABLED 1 


1 DEFINE 




ALL 




DISABLED J 



When enabled, the port will be logged out when the port's DSR signal is dropped. This usually only occurs 
when the attached terminal device is powered off or disconnected; it is intended to keep users from 
switching terminal lines to access other sessions. Any open connections will be closed before logging out. 

Restrictions Requires privileged user access. 

Errors Modem Control and DSRLogout are mutually exclusive. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults Disabled 

See Also DSR Logouts, page -11; Serial Signals, page -16 
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1 1 .7.25 Set/Define Ports DTRWait 













j SET 


■ PORTS 


PortList 


DTRWAIT < 


ENABLED 1 


1 DEFINE 




ALL 




DISABLED J 



If enabled, the unit will not assert the DTR signal on the serial port until a user logs into the port, connects 
to the port via a service, or connects to the port via a Telnet connect. When the port is idle, DTR will not be 
asserted. 

Restrictions Requires privileged user status. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 

Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults Disabled 

See Also Define Ports Modem Control, page -82; Set/Define Ports Flow Control, page - 

50; DTR (Data Terminal Ready), page -18 

1 1 .7.26 Set/Define Ports Flow Control 









NONE 




I SET I poRTS 


PortList 


FLOW [CONTROL] < 


CTS 


■ 


[ DEFINE J 


ALL 




XON 





Sets the type of flow control on the port. 

Restrictions Requires privileged user status if you want to use this command on ports other 

than your own. Secure users may not use this command. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 

Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 
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Defaults 
Examples 
See Also 



None 

No flow control will be performed. 
CTS 

Sets the flow control type to RTS/CTS. 
XON 

Sets the flow conntrol type to XON/XOFF. 
XON 

Local» SET PORTS FLOW CONTROL CTS 

Set/Define Ports DTRWait, page -50; Flow Control, page -15 



1 1 .7.27 Set/Define Ports Forward Switch 













| SET 


jpORTS 


PortList 


FORWARD [SWITCH]" 


character 1 


1 DEFINE 




ALL 


NONE J 



Defines a "forward" key. From character (Local>) mode, typing this key functions as if the Forward 
command was entered; the user may switch to the previous session without entering character mode. 

Any key can be specified unless it conflicts with unit line editing or the Break or Backward keys. The key 
you specify will be stripped from the data stream, so while it won't interfere with remote operating systems, 
you will lose any functionality that key would have on local programs. 



Restrictions 



Parameters 



Requires privileged user status if you want to use this command on ports other 
than your own. 

PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Switch 

Defines the control character. Must be used in conjunction with the character 
parameter. 
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character 

The character to be used as the forward switch. To specify a control character, 
use escaped hex (\xx). For example, Ctrl-B (ASCII character 0x02) would be 
specified as \02. 

None 

Clears the current switch character. 



Defaults None configured 

Examples Locai» set port 2 forward switch \02 

See Also Forwards, page -7; Set/Define Ports Backward Switch, page -43; Set/Define 

Ports Local Switch, page -53; Switching Between Sessions, page -5 



1 1 .7.28 Set/Define Ports Inactivity Logout 















| SET 


■ PORTS 


PortList 


INACTIVITY 


[logout] 


ENABLED 1 


1 DEFINE 




ALL 




, DISABLED J 



Enables automatic logout of the port if it has been "inactive" for a set period of time. Inactive is defined as 
having no keyboard or network activity on the port. The port' s open connections (if any) will be closed 
before logging out. 

Note: The inactive period is configured using the Set/Define Server Inactivity 
command. 

This command is ignored for remote networking connections. See the Define Site Idle command. 
Restrictions Requires privileged user status. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults Disabled 

See Also Define Site Idle, page -124; Set/Define Server Inactivity, page -104 



11-52 



Port Commands 

1 1 .7.29 Set/Define Ports Local Switch 















| SET 


jpORTS 


PortList 


LOGOUT 


[switch] ' 


character I 


1 DEFINE 




ALL 




NONE J 



Defines a "local switch" key. From character (Local>) mode, typing this key functions as if the Forward 
command was entered; the user may switch to the previous session without entering character mode. 

Any key can be specified unless it conflicts with unit line editing or the Break or Forward/Backward keys. 
The key you specify will be stripped from the data stream, so while it won't interfere with remote operating 
systems, you will lose any functionality that key would have on local programs. 

Restrictions Requires privileged user status if you want to use this command on ports other 

than your own. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 

Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Switch 

Defines the control character. Must be used in conjunction with the character 
parameter. 

character 

The character to be used as the local switch. To specify a control character, use 
escaped hex (\xx). For example, Ctrl-B (ASCII character 0x02) would be 
specified as \02. 

None 

Clears the current switch character. 
None configured 

Local» SET PORT 2 LOCAL SWITCH \02 

Set/Define Ports Break, page -44; Set/Define Ports Backward Switch, page - 
43; Set/Define Ports Forward Switch, page -51; Sessions, page -4 



Defaults 
Examples 
See Also 
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1 1 .7.30 Set/Define Ports Loss Notification 













| SET 


> PORTS 


PortList 


loss [notification] 


ENABLED 1 


1 DEFINE 




ALL 


, DISABLED J 



Sends the terminal device a Ctrl-G (Bell) when a typed character is lost due to a data error or an overrun on 
the unit 

Restrictions Requires privileged user status if you want to use this command on a port other 

than your own. Secure users may not use this command. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 

Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults Enabled 

See Also Notification of Character Loss, page - 1 3 

1 1 .7.31 Set/Define Ports Menu 













| SET 


• PORTS 


PortList 


MENU < 


ENABLED 1 


1 DEFINE . 




ALL 




DISABLED J 



Specifies whether or not the port will be placed in menu mode at login. If it is disabled, the Local> prompt 
will appear at login. If it is enabled, a menu screen will be displayed; the Local> prompt is not accessible. 

Restrictions Requires privileged user status if you want to use this command on porst other 

than your own. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 

Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 
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Defaults Disabled 

See Also Clear/Purge Menu, page -33; Set/Define Menu, page -38; Show/Monitor/List 

Menu, page -72; Menu Mode, page -12; Menu Mode, page -20 

1 1 .7.32 Set/Define Ports Name 



SET 


• PORTS 


PortList 


DEFINE . 




ALL 



NAME portname 



Sets a unique name for each port, or a common name for a group of ports. Giving the same name to several 
ports may be desirable, for example, when you want to label them as modem connection ports or dedicated 
SLIP/PPP ports. 

Restrictions Requires privileged user status. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 

Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

portname 

A name of up to 16 characters composed of alphanumerics or the underscore 
("_") character. If the name is not enclosed in quotation marks, it will be 
converted to uppercase. 

Note: The default portname is Port_n, where n is the port number. 

Examples Local» SET PORT 2 NAME "highspeed_modem" 

See Also Naming a Port, page -13 



1 1 .7.33 Set/Define Ports Parity 











ODD 




| SET 


■ PORTS 


PortList 


PARITY < 


EVEN 
NONE 


■ 


1 DEFINE 




ALL 







Sets the serial port's parity to Odd, Even, or None (no parity). Note that changing the parity may affect the 
configured character size. 
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Restrictions 



Errors 



Parameters 



Requires privileged user status if you want to use this command on ports other 
than your own. Secure users may not use this command. 

Autobaud will not work unless the port is using 8 bit characters, or 7 bit 
characters with even parity. 

PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults None (no parity) 

See Also Set/Define Ports Autobaud, page -40; Set/Define Ports Character Size, page 

46; Serial Port Configuration, page -12 

1 1 .7.34 Set/Define Ports Password 













j SET 


■ PORTS 


PortList 


PASSWORD ■ 


ENABLED 1 


1 DEFINE 




ALL 




DISABLED J 



Controls whether or not a password is required to log in to the server from this port. The Set/Define Server 
Login Password command is used to set the password. 



Restrictions 
Errors 

Parameters 



Requires privileged user status. 

The virtual port (port 0) password must be enabled or disabled with the Define 
command. 

PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults Disabled 

See Also Set/Define Server Login Password, page -106; Login Password, page -10 
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1 1 .7.35 Set/Define Ports Preferred 













I SET I poRTS 


PortList 


PREFERRED < 


TELNET J hostname[:envstring] I 




[ DEFINE J 


ALL 




RLOGIN 1 NONE J 





Specifies a default service for this port. The unit will attempt to use the preferred service for 
Autoconnecting, as well as when no service name is specified in a Connect, Telnet, or Rlogin command. 

Restrictions Requires privileged user status if you want to use this command on ports other 

than your own. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Telnet 

Specifies that the service is a default Telnet connection. If there is no local 
nameserver defined, the host must be specified with a numeric hostname. Must 
be used in conjunction with the hostname parameter. 

Rlogin 

A synonym for Telnet hostname. Ports set up to use Rlogin will still use Telnet 
for the connection. Must be used in conjunction with the hostname parameter. 

hostname 

TCP host name of 40 characters or less, or an IP address in standard numeric 
format (for example, 192.0.1.3). 



Defaults 
Examples 



envstring 

Sets up the connection environment before the session is started. The string is 
constructed with a sequence of key letters, some of which are prefaced by 
either "+" or See Appendix A, Environment Strings. 

None 

Local» SET PORT 2 PREFERRED 192.0.1.3 
Local» SET PORT 3 PREFERRED todd 



See Also 



Connect, page -33; Rlogin, page -38; Set/Define Ports Autoconnect, page -41; 
Define Ports Dedicated, page -47; Setting Session Characteristics, page -6 
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11.7.36 Define Ports PPP 



DEFINE PORTS 



PortList 
ALL 



PPP 



ENABLED 
DISABLED 
DEDICATED 



ACCM 



CHAP 
PAP 



COUNTER 



MAP 
XONXOFF 

BOTH 
LOCAL 
REMOTE 
DISABLED 



CONFIGURE 

FAILURE 
TERMINATE 



HEADERCOMPRESSION 
MAGICNUMBER 
PROTOCOLCOMPRESSION 



ENABLED 
DISABLED 



MULTILINK 



ENABLED 
DISABLED 
TIMEOUT time 



Enables PPP to run on the specified port and configures PPP-related settings. This command does not start 
PPP. 

Restrictions Requires privileged user status. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Enabled/Disabled 

Enables or disables PPP on a specified port, but does not start PPP. 
Dedicated 

Configures a port to always be in PPP mode. The port will automatically run 
PPP when it is started. No other protocol can be run on the port; it will continue 
to run until it is logged out. 
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ACCM 

Enters an asynchronous control map in hexadecimal. Bits turned on represent 
ASCII characters that will be escaped in the PPP data stream. See Character 
Escaping on page 6-1 for more information. 

map 

A hexadecimal value between 0x00000000 and Oxffffffff. 
XONXOFF 

A default map that escapes the XON and XOFF software flow control 
characters. 

CHAP 

Configures the Challenge Handshake Authentication Protocol (CHAP). See 
PPP Authentication on page 6-2 

PAP 

Configures the Password Authentication Protocol (PAP). See PPP 
Authentication on page 6-2 for more information. 

Both 

Enables authentication for both this node and the remote node. 
Disabled 

Turns off CHAP/PAP authentication. 
Local 

The unit will authenticate itself to the unit 
Remote 

The remote node will authenticate itself to the unit 
Counter 

Specifies the number of configuration retries for the Link protocol and all 
Network Control protocols. 

Configure 

Specifies the number of Configure-Requests to send before giving up 
negotiation. 

Failure 

Specifies the number of Configure-Naks to send before giving up negotiation. 
Terminate 

Specifies the number of Terminate-Requests to send before disconnecting, 
num 

An integer between 1 and 255. 
HeaderCompression 

Enables or disables compression of PPP headers. See Header Compression on 
page 6- 1 for more information. 

MagicNumber 

Controls PPP magic numbers. 
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Defaults 



Examples 



See Also 



ProtocolCompression 

Configures the compression of protocol information in PPP. 
Timeout 

Sets the timeout value, in tenths of seconds, for the Link Control Protocol and 
all Network Control protocols. 

time 

An integer between 1 and 255, representing a length of time in tenths of 
seconds. For example, a setting of 25 equals 2.5 seconds. 

Multilink 

Allows the unit to add the specified port to a PPP connection to increase 
bandwidth on demand. 

PPP: Disabled 

Map value: 0x00000000 

CHAP and PAP: Disabled 

Counter Configure: 10 requests 

Counter Failure: 5 Configure-NAKs 

Counter Terminate: 2 requests 

HeaderCompression, MagicNumber, ProtocolCompression: Enabled 
Timeout: 30 seconds 
Multilink: Disabled 

Local» DEFINE PORT PPP ACCM 0X000A0000 
Local» DEFINE PORT PPP CHAP LOCAL 
Local» DEFINE PORT PPP PAP REMOTE 
Local» DEFINE PORT PPP COUNTER FAILURE 5 

Local» DEFINE PORTS 2-4 PPP HEADERCOMPRESSIONN ENABLED 
Local» DEFINE PORT 2 PPP MAGICNUMBER ENABLED 
Local» DEFINE PORT 3 PPP TIMEOUT 25 
Local» DEFINE PORT PPP MULTILINK ENABLED 

Define Ports PPPdetect, page -60; Purge Port PPP, page -37; Show/Monitor/ 
List Logging PPP, page -160; Set PPP, page -71; Show/Monitor/List Ports 
PPP, page -72; PPP, page -1; Chapter 6, PPP 



1 1 .7.37 Define Ports PPPdetect 




Automatically detects incoming PPP characters and starts running PPP. 



Restrictions 



Requires privileged user status. 
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Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults Disabled 

See Also Define Ports PPP, page -58; Purge Port PPP, page -37; Set/Define Logging 

PPP, page -155; Set PPP, page -71; Show/Monitor/List Ports PPP, page -72; 
PPP, page -1; Chapter 6, PPP 

1 1 .7.38 Set/Define Ports Printer 













J SET 


• PORTS 


PortList 


PRINTER < 


ENABLED 1 


1 DEFINE 




ALL 




DISABLED J 



If enabled, the server will verify that the port is online before sending data to it. 
Restrictions Requires privileged user status. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults Disabled 



1 1 .7.39 Set/Define Ports Security 



SET 


■ PORTS 


PortList 


DEFINE 




ALL 



SECURITY 



ENABLED 
DISABLED 



Setting a port to Secure status restricts its access to commands and the ability to get information about 
other ports using Show/List commands. Privileged commands are not available to secure users. Certain 
other commands cannot be entered for a port other than the secure user' s own port. 
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Restrictions Requires privileged user status. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 

Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults Disabled 

See Also Preferred & Dedicated Services, page -8; Chapter 10, Security 

1 1 .7.40 Set/Define Ports Session Limit 













j SET 


• PORTS 


PortList 


SESSION LIMIT < 


limit j 


1 DEFINE 




ALL 




NONE J 



Limits the number of active sessions on a port. The maximum number of session configured for a port 
cannot exceed the server session limit. 

Restrictions Requires privileged user status. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 

Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

limit 

An integer between 0 and 8. 
None 

Allows the maximum number of sessions. 
Defaults Limit: 4 sessions 

See Also Set/Define Server Session Limit, page -1 10; Sessions, page -4 
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1 1 .7.41 Set/Define Ports Signal Check 













| SET 


■ PORTS 


PortList 


SIGNAL [CHECK] 


limit 


1 DEFINE 




ALL 


. NONE J 



Determines whether or not the DSR signal will be checked for when remote connections to the port are 
made. If enabled, remote connections to the port will not be permitted unless the DSR signal is asserted. 

Restrictions Requires privileged user status. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults Disabled 

See Also DSR for Controlling Remote Logins, page -18 

11.7.42 Define Ports SLIP 









ENABLED 




DEFINE PORTS 


PortList 


SLIP < 


DISABLED 
DEDICATED 






ALL 







The Enabled and Disabled parameters determine whether or not SLIP can be run on the specified port. The 
Dedicated parameter devotes that port to SLIP mode. 

Restrictions Requires privileged user status. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 



11-63 



Port Commands 



Dedicated 

The specified port will automatically run SLIP when it is started. No other 
protocol can be run on the port; it will continue to run SLIP until it is logged 
out. 

Defaults Disabled 

See Also Set/Define Ports SLIPdetect, page -64; Set SLIP, page -7 1 ; Show/Monitor/List 

Ports SLIP, page -72; Starting PPP/Slip for Incoming Connections, page -8 

1 1 .7.43 Set/Define Ports SLIPdetect 













| SET 


• PORTS 


PortList 


SLIPDETECT < 


ENABLED 1 


1 DEFINE . 




ALL 




DISABLED J 



Automatically detects and starts running SLIP. Be aware that automatically running SLIP is a potential 
security hazard. 

Restrictions Requires privileged user status. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults Disabled 

See Also Starting PPP or SLIP with Automatic Protocol Detection, page -9 



1 1 .7.44 Set/Define Ports Speed 



SET 


> PORTS 


PortList 


DEFINE 




ALL 



SPEED speed 



Specifies the baud rate of the port. 

Restrictions Requires privileged user status if you want to use this command on ports other 

than your own. Secure users may not use this command. 
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Errors An error is displayed for illegal baud rates. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 

Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

speed 

One of the following baud rates: 300, 600, 1200, 2400, 4800, 9600, 19200, 
38400, 57600, 115200, and 230400. 

Defaults 9600 baud 

Examples Locai» set ports speed 24 oo 

See Also Set/Define Ports Autobaud, page -40; Modem Speeds, page -1 

1 1 .7.45 Set/Define Ports Stop 



j SET 


■ PORTS 


PortList 


STOP j * j 


1 DEFINE 




ALL 





Specifies the stop bit count for the port. The default is to use one stop bit. 

Restrictions Requires privileged user status if you want to use this command on ports other 

than your own. Secure users may not use this command. 

Errors An error is displayed if an invalid stop bit number is entered. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 

Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults 1 stop bit 
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1 1 .7.46 Set/Define Ports Telnet Pad 



SET 


■ PORTS 


PortList 


DEFINE . 




ALL 



TELNET PAD 



ENABLED 
DISABLED 



If Telnet Pad is enabled (the default), the server automatically pads carriage returns with null characters for 
Telnet sessions. 

Restrictions Requires privileged user status if you want to use this command on ports other 

than your own. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults Enabled 

See Also Padding Return Characters, page -13 



1 1 .7.47 Set/Define Ports TermType 













| SET 


■ PORTS 


PortList 


TERMTYPE j 


TermString 1 


1 DEFINE 




ALL 




NONE J 



Specifies a terminal type for the port. The terminal type is reported to the destination node in Telnet and 
Rlogin sessions. Example terminal types might be VT100 or IBM1000. 

Restrictions Requires privileged user status if you want to use this command on ports other 

than your own. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 
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Defaults 
See Also 



TermString 

Enter a string of up to 8 characters in length. 
None 

Clears the field. There is no terminal type configured by default. 
None defined 

Specifying a Terminal Type, page -14 



1 1 .7.48 Set/Define Ports Type 









ANSI 




I SET I poRTS 


PortList 


TYPE < 


SOFTCOPY 
HARDCOPY 


■ 


[ DEFINE J 


ALL 







Describes the type of device connected to the port. 
Restrictions 



Parameters 



Requires privileged user status to use this command on ports other than your 
own. 

PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note: 



Defaults 
See Also 



In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

ANSI 

VT100 compatible devices. 
Softcopy 

VT100 without clear screen or cursor controls. 
Hardcopy 

Deleted characters are echoed between backslashes; there is no cursor 
movement. 

Softcopy 

Setting the Device Type, page -13 
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1 1 .7.49 Set/Define Ports Username 













| SET 


• PORTS 


PortList 


USERNAME < 


username 1 


1 DEFINE 




ALL 




NONE J 



Used to specify a username for the port. When the username is defined, you will not be asked for one when 
logging in to the port. 



Restrictions 



Parameters 



Requires privileged user status to use this command on ports other than your 
own. Secure users may not use this command. 

PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

username 

A name of up to 16 characters in length, converted to all uppercase unless 
enclosed in quotes. 

None 

Clears a current username. 



Defaults 
See Also 



None 

Specifying a Username, page -13 



1 1 .7.50 Set/Define Ports Verification 



| SET 


• PORTS 


PortList 


VERIFICATION 


1 DEFINE 




ALL 





ENABLED 
DISABLED 



When enabled, the server will issue informational messages whenever a session is connected, disconnected, 
or switched. 



Restrictions 



Requires privileged user status if you wish to use this command on ports other 
than your own. 
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Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 

Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults Enabled 

See Also Sessions, page -4 

1 1 .7.51 Set Privileged/Noprivileged 



, PRIVILEGED [OVERRIDE] 
NOPRIVILEGED 



Changes the current port's privilege status. Only one port on the server can be privileged at any time. The 
Override parameter is provided to force your current port to become the privileged port (and the previously 
privileged port loses the privilege). 

When changing your port to privileged status, you will be queried for the privileged password. The factory 
default privileged password is system; this password can be changed with the Set Server Privileged 
Password command. If the password is forgotten, the server can be reset to factory defaults using the 
Initialize commands. 

Restrictions To use the Privileged parameter, you must know the privileged password. 

Secure users cannot become privileged. 

Examples Locai» set noprivileged 

Local» SET PRIVILEGED OVERRIDE 

See Also Set/Define Ports Security, page -61; Privileged Password, page -6 
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11.7.52 Set Session 





delete] delete I 

{ BACKSPACE J 






echo! enabled 
[ disabled 






SET SESSION* 






CR 








NEWLINE< 


LF 












CRLF 










INTERACTIVE 








< 


PASSALL 










PASTHRU 







Specifies the characteristics for the current session. 

Parameters Delete 

Specifies which character to send as the delete character. Set Session Delete 
sends a delete character (ASCII 0x7f). This command has no effect if Pas thru 
or Passall are in effect. This command and the Newline command may be 
helpful if you are getting odd output from a Telnet session. 

Backspace 

Set Session Delete Backspace sends a backspace character (ASCII 0x8, or 
Ctrl-H). 

Echo 

Enabling asks the unit to echo for TCP connections. The default is Disabled, 
on the assumption that the remote host will provide echoing. 

Newline 

Changes what is sent to the remote service when you press the newline (usually 
<Return>) key. This command has no effect if Pasthru or Passall (see below) 
are in effect. 

CR 

Send carriage returns (ASCII OxA) only. 
LF 

Send linefeeds (ASCII OxD) only. 
CRLF 

Send both carriage return and linefeed. 
Interactive 

Allows server-specific keys (i.e. Forward, Backward, and Local) and messages 
to be interpreted by the unit. 
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Passall 

Disables server interpretation of switch characters, messages, and XON/XOFF 
flow control. Used for binary transfers, such as executable files and graphics. 

Pasthru 

Disables server interpretation of switch characters and server messages, but 
not XON/XOFF flow control. Used for ASCII file transfers. 



Defaults 



Delete: Delete 
Newline: CR 



Examples 



Local» SET SESSION DELETE BACKSPACE 
Local» SET SESSION NEWLINE CRLF 



See Also 



Sessions, page -4 



11.7.53 SetPPP 



SET PPP 



IPADDRESS address 
SiteName 



Starts PPP on this port using the specified site's configuration. 



Parameters 



IPaddress 

Defines the non-negotiable remote IP address, 
address 

An IP address in standard numeric format (for example, 193.0.1.50). 
SiteName 

A name of 12 characters or less. If no site name is given, a site with the default 
site characteristics will be used. 



Examples 



Local» SET PPP irvine 

Local» SET PPP allison IPADDRESS 191.1.1.1 



See Also 



Define Ports PPP, page -58; Chapter 6, PPP 



11.7.54 Set SLIP 




Starts SLIP on this port using the specified site's configuration. 



Parameters 



SiteName 

A site name of up to 12 characters. If no site name is given, a site with the 
default site characteristics will be used. 
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Examples 
See Also 



IPaddress 

Defines the non-negotiable remote IP address, 
address 

An IP address in standard numeric format (for example, 192.75.2.0). 

Local> SET SLIP irvine 

Local> SET SLIP allison IPADDRESS 192.0.1.221 

Set/Define Ports SLIPdetect, page -64; Starting PPP/Slip for Incoming 
Connections, page -8 



1 1 .7.55 Show/Monitor/List Menu 



SHOW 
MONITOR 
LIST 



MENU 



Displays the current or saved Menu entries. 

Restrictions You must be the privileged user to use the Monitor command. 

Secure users may not use this command. 

See Also Clear/Purge Menu, page -33; Set/Define Menu, page -38; Menu Mode, page 

12; Menu Mode, page -20 

11.7.56 Show/Monitor/List Ports 







ALL 








PortNum 


CHARACTERISTICS 






SHOW 










COUNTERS 




< 


MONITOR 


> PORTS 




LOCAL 




STATUS 






LIST 




ACCESS< 


DYNAMIC 


■ 


SUMMARY 








REMOTE 




PPP 








NONE 




MODEM [STATUS] 





These commands display information about the server's ports. The current port is the default, unless another 
port number or All is specified. You can also get information about all the local ports having a particular 
Access value. If no keywords are added to the command, the current port's Characteristics will be shown. 

If the port is a virtual port, irrelevant information (such as baud rate, parity, or flow control) will not be 
displayed. Any List command performed for a virtual port will display the template port's configuration. 



11-72 



Port Commands 



Restrictions 



You must be the privileged user to use the Monitor command. 



Secure ports cannot Show or List ports other than their own. 



Errors 



Status and Counters parameters are not valid with List. 



Counters is not valid for virtual ports. 



Parameters 



All 



Displays information for all ports. 
PortNum 

Specifies a particular port. 
Access 

Display ports that match a specified access-type. Must be used in conjunction 
with the Local, Dynamic, Remote, or None parameter. 

Local 

Displays ports set to Local access. Local access restricts logins on the port to 
local users. 

Dynamic 

Displays ports set to Dynamic access. Dynamic access permits local or remote 
users to log into the port. 

Remote 

Displays ports set to Remote access. Remote access restricts logins on the port 
to remote (network) users. 

None 

Displays ports with access set to None. None prevents all access to the port, 
including user logins. 

Characteristics 

Displays information from the operational database about the specified ports, 
including the port's settings, such as baud rate, parity, preferred services, 
name, username, and group codes. 

Counters 

Displays the port's local and remote accesses as well as any communication 
errors. 

Status 

Displays information regarding the port's serial connections, including the 
current flow control state and the state of the DSR and DTR signals. 

Summary 

Displays a one-line summary of information about the specified ports. The 
information includes type of access, status, and services offered. The Summary 
option shows the access type, any offered services, and the login status of the 
port. 
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Note: 
Examples 

See Also 



PPP 

Displays information about the Point to Point Protocol's Link Control Protocol 
on the specified ports. 

Modem 

Displays information about modem control and configuration strings on the 
specified ports. 

Status 

The Modem Status option shows the last connect speed of the modem 
connected to the specified port(s), and the last available Caller-ID information 
for the port(s). Modem control must be enabled for this command to work. 

The Modem Status option is of no use for remote access or no access ports. 

Local> SHOW PORT ALL SUMMARY 

Local> LIST PORT ACCESS DYNAMIC COUNTERS 

Chapter 7, Chapter 7 



1 1 .7.57 Show/Monitor Sessions 



SHOW 
MONITOR 



SESSIONS 



PORT PortNum 
ALL 



Displays information about the specified sessions. 

Restrictions You must be the privileged user to use the Monitor command. 

Secure users cannot specify Port or All. 



Parameters 



PortNum 

Specifies a particular port. 
All 

Displays the sessions currently running on all ports. 



Examples 



Local> SHOW SESSION 
Local> SHOW SESSION PORT 5 



See Also 



Set/Define Ports Security, page -61; Sessions, page -4 



11.7.58 Test Port 



TEST PORT [portNum\ [POSTSCRIPT] 


COUNT/;ne.v 


keyword 


WIDTHcharacters 
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Tests a serial port's connection by sending a continuous stream of ASCII alphabetic characters until the 
number of lines specified by Count is reached. You can stop the test by pressing any key. 



Restrictions 



Parameters 



Examples 



Non-privileged users may only test their own port. 

Virtual and multisession-enabled ports can only be tested by the user on that 
port. 

PortNum 

Specifies a particular unit port. 
PostScript 

Sends a Postscript test page to the port instead of ASCII data. 
Count 

Specifies the number of test lines to be send, or if in postscript mode, the 
number of pages to print. Any character will terminate the test. Must be used 
in conjunction with the lines parameter. 

lines 

The number of lines to be sent to the port. There is no line limit. 
Width 

The number of characters per line in the test pattern. Must be used in 
conjunction with the characters parameter. 

characters 

Enter an integer between 1 and 132, inclusive. 

Local> TEST PORT 

Local> TEST PORT 4 WIDTH 45 COUNT 5 



11.7.59 Telnet 

Telnet is a shorthand for the Connect Telnet command. For a description of the command, see Connect on 
page -33. 



11.7.60 Unlock Port 



UNLOCK PORTPortNum 



Unlocks a locked port, which may be necessary if the user has locked the port and forgotten the password. 
The command does nothing if the port is already unlocked. 

Restrictions Requires privileged user status. 

Parameters PortNum 

The number of the locked unit port. 

Examples Locai» unlock port 6 
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See Also Lock, page -35; Locking a Port, page -9; Locking a Port, page -19 



11-76 



Modem Commands 



1 1 .8 Modem Commands 



1 1 .8.1 Define Ports Modem Answer 



DEFINE PORTS 



PortList 
ALL 



MODEM ANSWER 



COMMAND string 
DisableString EnableString 
ENABLED 
DISABLED 



RINGS 



1 



Permits or prevents a modem from automatically answering the line, optionally after a specified number of 
rings. 



Restrictions 
Parameters 



Requires privileged user status. 
PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Command 

Changes the answer command that is actually sent to the modem to make it 
anwer the line. Commonly set to "A" or "ATA." 

DisableString 

A string of up to 12 characters. When the modem receives this string, 
automatic answering will be disabled. Commonly set to "s0=0." 

EnableString 

A string of up to 12 characters. When the modem receives this string, 
automatic answering will be enabled. Commonly set to "sO=l." 

Rings 

Either enter 1 or 3 to tell the unit how many rings to wait before answering the 
line. When Caller-ID is enabled, the ring value should be set to 3 to give the 
unit time to gather Caller- ID information. 

Defaults Disabled (no strings defined), 1 Ring 

Examples Locai» define port 2 modem answer enabled 

Local» DEFINE PORT 2 MODEM ANSWER "s0=0" "sO=l" 
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See Also 



Define Ports Modem CallerlD, page -79; Profile Settings, page 8-4; Caller-ID, 
page 8-11 



1 1 .8.2 Define Ports Modem Attention 









DEFINE PORTS 


PortList 


MODEM ATTENTION string 




ALL 



Defines a string to get the modem's attention. 

Restrictions Requires privileged user status. 



Parameters 



PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults Depends on modem and modem profile. 

Examples Locai» define port 2 modem attention "at" 

See Also Profile Settings, page 8-4 



1 1 .8.3 Define Ports Modem Busy 









DEFINE PORTS 


PortList 


MODEM BUSY string 




ALL 



Defines a string that the unit will expect from the modem on outbound calls to signal that the remote 
number is busy or otherwise unavailable. 



Restrictions 
Parameters 



Requires privileged user status. 
PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 
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Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

string 

A string of up to 12 characters. Commonly set to "BUSY." 
Defaults Depends on modem and modem profile. 

See Also Profile Settings, page 8-4 

1 1 .8.4 Define Ports Modem CallerlD 









DEFINE PORTS 


PortList 


MODEM CALLERID \ ENABLED L 




ALL 


[ DISABLED J 



Configures whether the unit will look for and attempt to decode Caller-ID information for incoming calls. 
The uni should be set to wait for three rings before answering the line so that it has enough time to gather 
the Caller-ID information. The ring setting can be configured with the Rings command. 

Restrictions Requires privileged user status. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 

Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults Disabled 

See Also Define Ports Modem Answer, page -77; Caller-ID, page 8-11 

1 1 .8.5 Define Ports Modem Carrierwait 









DEFINE PORTS 


PortList 


MODEM CARRIERWAIT seconds 




ALL 





Defines the length of time that a server will wait for a carrier on incoming and autodialed calls. If a carrier 
is not received in that length of time, the unit assumes that it will not be received. The call will fail and the 
modem will be reset. 

Restrictions Requires privileged user status. 
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Parameters 



PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

seconds 

A time value between 1 and 250 seconds. 
Defaults 60 seconds 

Examples Locai» define port 2 modem carrierwait 40 

See Also Profile Settings — Carrierwait String, page 8-4 

1 1 .8.6 Define Ports Modem Commandpref ix 









DEFINE PORTS 


PortList 


MODEM PREFIX seconds 




ALL 





Defines a string to send before the "Init" and other configuration strings. 
Restrictions Requires privileged user status. 



Parameters 



PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

string 

A string of up to 12 characters. Commonly set to "at." 
Defaults Depends on modem and modem profile. 

Examples Locai» define port 2 modem commandprefix "at" 

See Also Profile Settings, page 8-4 
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1 1 .8.7 Define Ports Modem Compression 



DEFINE PORTS 


PortList 
ALL 


MODEM COMPRESSION < 


ENABLED 
DISABLED 


■ 






DisableString EnableString 





Enables or disables data compression in the modem. 

Restrictions Requires privileged user status. 



Parameters 



PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas(for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

DisableString 

A string of up to 12 characters. When this string is received by the modem, data 
compression will be disabled 

Note: The DisableString and the EnableString must be entered together. 
EnableString 

A string up to 12 characters. When this string is received by the modem, data 
compression will be enabled. 

Defaults Disabled (no strings defined) 

Examples Locai» define port 2 modem compression enabled 

Local» DEFINE PORT 2 MODEM COMPRESSION "%c" "%cl" 

See Also Profile Settings, page 8-4; Compression, page 8-8 

1 1 .8.8 Define Ports Modem Connected 









DEFINE PORTS 


PortList 


MODEM CONNECTED ConnectString 




ALL 



Defines a string to expect on outbound calls when the modem is connected to the remote location. 
Restrictions Requires privileged user status. 
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Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas(for lists) or dashes (for ranges). 

Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Connects tring 

A string of up to 12 characters. Commonly set to "CONNECT." 
Defaults Depends on modem and modem profile. 

Examples Locai» define port 2 modem connect "connect" 

See Also Profile Settings, page 8-4 

1 1 .8.9 Define Ports Modem Control 











DEFINE PORTS 


PortList 


MODEM [coNTROL] 


ENABLED j 




ALL 


t DISABLED J 



Enables or disables modem handling on the specified port(s). For the description and syntax of particular 
parameters used in conjunction with this command (for example, Define Ports Modem Ring), refer to the 
individual entries that follow. 

When modem handling is enabled, the assertion and deassertion of modem signals (DSR, DTR, and DCD) 
control the port's interaction with the modem, including initializing the modem upon booting and resetting 
the modem between uses. The unit monitors DCD to determine if a connection exists. If DCD drops, the 
unit will log the port out and drop DTR. 

Note: Modem control be enabled on ports that have modems attached. 
Restrictions Requires privileged user status. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas(for lists) or dashes (for ranges). 

Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults Disabled 

See Also Set/Define Ports DSRLogout, page -49; Show/Monitor/List Ports Modem, 

page -72; Chapter 8, Modems 
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1 1 .8.1 0 Define Ports Modem Dial 









DEFINE PORTS 


PortList 


MODEMDIAL DialString 




ALL 



Defines a string to send to the modem to cause it to dial. This string is preceded by the Commandprefix 
string. 

Restrictions Requires privileged user status. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas(for lists) or dashes (for ranges). 

In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

DialString 

A string of up to 12 characters. Often touch tone dialing is activated with "dt" 
and pulse dialingn is activated with "dp." 

Depends on modem and modem profile. 

Local» DEFINE PORT 2 MODEM DIAL "dt" 

Define Ports Modem Commandprefix, page -80; Profile Settings, page 8-4 



Note: 



Defaults 
Examples 
See Also 



1 1 .8.1 1 Define Ports Modem Error 









DEFINE PORTS 


PortList 


MODEM ERROR string 




ALL 









Defines a string to expect on outbound calls when the modem encounters an error. 
Restrictions Requires privileged user status. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas(for lists) or dashes (for ranges). 
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Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

string 

A string of up to 12 characters set to "ERROR" by default. 
Defaults Depends on modem and modem profile. 

Examples Locai» define port 2 modem error "error" 

See Also Profile Settings, page 8-4; Define Ports Modem Errorcorrection, page -84 

11.8.12 Define Ports Modem Errorcorrection 



DEFINE PORTS 


PortList 
ALL 


MODEM ERRORCORRECTION < 


ENABLED 
DISABLED 








DisableString EnableString 





Enables or disables error correction in the modem 

Restrictions Requires privileged user status. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas(for lists) or dashes (for ranges). 

Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

DisableString 

A string of up to 12 characters. When the modem receives this string, 
automatic answering will be disabled. 

EnableString 

A string of up to 12 characters. When this string is received by the modem, 
error correction will be enabled. 

Note: The DisableString and the EnableString must be entered together. 
Defaults Disabled (no strings defined) 

Examples Locai» define port 2 modem errorcorrection enabled 

Local» DEFINE PORT 2 MODEM ERRORCORRECTION "&q5" "qO" 

See Also Profile Settings, page 8-4; Define Ports Modem Error, page -83 
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1 1 .8.1 3 Define Ports Modem Getsetup 









DEFINE PORTS 


PortList 


MODEM GETSETUP string 




ALL 



Defines a string to send to the modem to cause it to return its setup. This string is preceded by the 
Commandprefix string. If the string is set to "", the unit will not attempt to get the modem' s setup. The unit 
will always send the Save string after configuration. Modems that do not return their configuration in a 
single screen should do this. 

Restrictions Requires privileged user status. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

string 

A string of up to 12 characters. Commonly set to "&v." 
Defaults Depends on modem and modem profile. 

Examples Locai» define port 2 modem getsetup "sv" 

See Also Define Ports Modem Commandprefix, page -80; Profile Settings, page 8-4 



1 1 .8.1 4 Define Ports Modem Init 



DEFINE PORTS 



PortList 
ALL 



MODEM INIT string 



Defines an initialization string to send to the modem. The string is preceded by the Commandprefix string. 
Restrictions Requires privileged user status. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 
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Defaults 
Examples 
See Also 



In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

string 

A string of up to 64 characters. 
Depends on modem and modem profile. 

Local» DEFINE PORT 2 MODEM INIT "Sfwl&cl&d3s2=128" 

Define Ports Modem Commandprefix, page -80; Profile Settings, page 8-4 



1 1 .8.1 5 Define Ports Modem Nocarrier 









DEFINE PORTS 


PortList 


MODEM NOCARRIER string 




ALL 



Defines a string to expect on outbound calls when the modem can dial but doesn't connect. 
Restrictions Requires privileged user status. 



Parameters 



PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

string 

A string of up to 12 characters. Commonly set to "NO CARRIER" 
Defaults Depends on modem and modem profile. 

Examples Locai» define port 2 modem nocarrier "no carrier" 

See Also Profile Settings, page 8-4 

1 1 .8.1 6 Define Ports Modem Nodialtone 









DEFINE PORTS 


PortList 


MODEM NODIALTONE string 




ALL 



Defines a string to expect on outbound calls when the modem can't detect a dial tone. 
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Restrictions 
Parameters 



Requires privileged user status. 
PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

string 

A string of up to 12 characters. Commonly set to "NO DIAL." 
Defaults Depends on modem and modem profile. 

Examples Locai» define port 2 modem nodial "no dial" 

See Also Profile Settings, page 8-4 



1 1 .8.1 7 Define Ports Modem OK 









DEFINE PORTS 


PortList 


MODEM OK string 




ALL 









Defines a string to expect after the Attention string is sent to the modem. 
Restrictions Requires privileged user status. 



Parameters 



PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

string 

A string of up to 12 characters. Commonly set to "OK." 
Defaults Depends on modem and modem profile. 

Examples Locai» define port 2 modem ok "ok" 

See Also Define Ports Modem Attention, page -78; Profile Settings, page 8-4 
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1 1 .8.1 8 Define Ports Modem Reset 









DEFINE PORTS 


PortList 


MODEM RESET string 




ALL 



Defines a string that will cause the modem to reset and reload its configuration from NVR. 
Restrictions Requires privileged user status. 



Parameters 



PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas(for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

string 

A string of up to 12 characters. Commonly set to "Z." 
Defaults Depends on modem and modem profile. 

Examples Locai» define port 2 modem reset 2 

See Also Profile Settings, page 8-4 



1 1 .8.1 9 Define Ports Modem Ring 









DEFINE PORTS 


PortList 


MODEM RING string 




ALL 



Defines a string that the modem returns if it rings. 

Restrictions Requires privileged user status. 



Parameters 



PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
(for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 
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Defaults 
Examples 
See Also 



string 

A string of up to 12 characters. Commonly set to "RING." 
Depends on modem and modem profile. 

Local» DEFINE PORT 2 MODEM RING "M&M" 

Profile Settings, page 8-4 



1 1 .8.20 Define Ports Modem Save 









DEFINE PORTS 


PortList 


MODEM SAVE string 




ALL 



Defines a string that forces the modem to save its configuration to NVR. 
Restrictions Requires privileged user status. 



Parameters 



PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas(for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

string 

A string of up to 12 characters. Commonly set to "&w." 
Defaults Depends on modem and modem profile. 

Examples Locai» define port 2 modem save "&w" 

See Also Profile Settings, page 8-4 



1 1 .8.21 Define Ports Modem Speaker 



DEFINE PORTS 


PortList 
ALL 


MODEM SPEAKER < 


ENABLED 
DISABLED 








EnableString DisableString 





Enables or disables the modem's speaker. The speaker allows the user to hear the modem's dialup and 
connect sequences for debugging purposes. 
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Restrictions Requires privileged user status. 

Parameters PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

EnableString 

A string of up to 12 characters. Commonly set to "ml/1." When this string is 
received by the modem, the modem' s speaker will be enabled. 

DisableString 

A string of up to 12 characters. Commonly set to "mO." When this string is 
received by the modem, the modem' s speaker will be disabled. 

Defaults Disabled (no strings defined) 

Examples Locai» define port 2 modem speaker enabled 

Local» DEFINE PORT 2 MODEM SPEAKER "mil" "mO" 



See Also 



Profile Settings, page 8-4 



1 1 .8.22 Define Ports Modem Statistics 









DEFINE PORTS 


PortList 


MODEM STATISTICS string 




ALL 



Defines a string to send to the modem to collect connection statistics after each call. This string is preceded 
by the Commandprefix string. 



Restrictions 
Parameters 



Requires privileged user status. 
PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

string 

A string of up to 12 characters. 
Defaults Depends on modem and modem profile. 
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Examples 
See Also 



Local» DEFINE PORT 2 MODEM STATISTICS "statreport" 

Define Ports Modem Commandprefix, page -80; Set/Define Logging, page 
155 



1 1 .8.23 Define Ports Modem Type 









DEFINE PORTS 


Port List 


MODEM TYPE TypeNum 




ALL 



Specifies a predefined modem profile. Use the Show Modem command to see a list of available profiles. 
Restrictions Requires privileged user status. 



Parameters 



PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
with commas (for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

TypeNum 

A predefined modem profile number. 
Defaults Depends on modem and modem profile. 

Examples Locai» define port 2 modem type 12 

See Also Show/Monitor/List Modem, page -91 ; Modem Profiles, page 8-2 



11.8.24 Show/Monitor/List Modem 





SHOW 






MONITOR 


■ MODEM mlm 




LIST 





Displays a list of modem profiles. 

Restrictions You must be the privileged user to use the Monitor command. 

Parameters num 



Examples 



A particular modem profile type to display. 

Local> SHOW MODEM 3 
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See Also Modem Profiles, page 8-2 
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1 1 .9 Service Commands 

1 1 .9.1 Clear/Purge Service 



CLEAR 
PURGE 



SERVICE 



LOCAL 

ServiceName 



Removes an unit service. Clearing a service only disables it until re-initialization of the unit. For a 
permanent removal, the Purge command must be used. 



Restrictions 
Errors 

Parameters 



Examples 
See Also 



Requires privileged user status. 

Clear Service fails when there are sessions connected to the service or when 
there are connect requests in the service's queue. These conditions can be 
corrected with the Logout Port and Remove Queue commands. 

Local 

Specifies that all local services should be removed. 
ServiceName 

A specific service to be removed. 

Local» PURGE SERVICE LOCAL 
Local» CLEAR SERVICE FILESERVER 

Show/Monitor/List Services, page -99; Sessions, page 7-4 



1 1 .9.2 Remove Queue 





ENTRY number 




REMOVE QUEUE< 


NODEwame 






SERVICEname 






ALL 





Removes requests for local services from that service's queue. A particular request or all requests may be 
specified. 



Restrictions 
Parameters 



Requires privileged user status. 
Entry 

Specifies a particular queue entry to be removed. Must be used inconjunction 
with the number parameter. 
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number 

A queue entry number. 
Node 

Specifies a particular node from which all connection requests will be 
removed. Must be used in conjunction with the name parameter. 

Service 

Specifies a particular local service; all entries queued to this service will be 
deleted. Must be used in conjunction with the name parameter. 

name 

A node or service name. 
All 

Removes all entries in the local service queue. 

Examples Local» REMOVE QUEUE NODE hydra 

Local» REMOVE QUEUE ENTRY 5 

Local» REMOVE QUEUE SERVICE MODEM 

Local» REMOVE QUEUE ALL 

See Also Show/Monitor Queue, page -11 



1 1 .9.3 Set/Define Service 



SET 
DEFINE 



SERVICE ServiceName 



Creates a new service. For the description and syntax of particular parameters used in conjunction with this 
command, refer to the individual entries that follow. 

Note: A maximum of 16 services can be created for the unit. 
Restrictions Requires privileged user status. 

Parameters ServiceName 

A string of up to 16 alphanumeric characters. Spaces are not permitted. 

See Also Clear/Purge Service, page -93 



1 1 .9.4 Set/Define Service Banner 



SET IsERVICE ServiceName BANNER J ENABLED 
DEFINE J [ DISABLED J 
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Specifies whether the unit should print a banner page before starting the job. Banners should be disabled 
(the default) for all PostScript and plotter (binary) data. 



Restrictions 
Defaults 
See Also 



Requires privileged user status. 
Enabled 

Clear/Purge Service, page -93 



1 1 .9.5 Set/Define Service Binary 



DEFINE 



SET [-SERVICE ServiceName BINARY ^ NABL ^ D 



DISABLED 



If the binary characteristic is enabled on a service, character translation (i.e. <cr> to <crxlf> translation) 
and tab expansion will be permitted on the print data. The binary characteristic should be disabled when 
printing PCL data. 



Restrictions 
Defaults 
See Also 



Requires privileged user status. 
Disabled 

Clear/Purge Service, page -93 



1 1 .9.6 Set/Define Service EOJ 



SET [SERVICE ServiceNameEOM EndStrin 8 
DEFINE NONE 



Specifies a string to be sent to the attached device at the end of every job regardless of network protocol. 



Restrictions 
Parameters 



Defaults 
See Also 



Requires privileged user status. 
EndString 

Any ASCII characters, or non- ASCII characters entered as hexadecimal digits 
(e.g. \45). The combined length of the SOJ and EOJ strings must not exceed 62 
characters. 

None 

Clears any previously-configured string. 
No string configured 
Clear/Purge Service, page -93 
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1 1 .9.7 Set/Define Service Formfeed 



DEFINE 



SET IsERVICE ServiceName FORMFEED-! ENABLED 



DISABLED 



If enabled (the default), the unit will append a formfeed at the end of any LPR print jobs. 
Restrictions Requires privileged user status. 

Defaults Enabled 
See Also Clear/Purge Service, page -93 

1 1 .9.8 Set/Define Service Ports 



I SET l SERVICE ServiceName PORTsJ 


PortList I 


[ ENABLED j 


[ DEFINE J [ 


ALL J 


1 DISABLED J 



Specifies a list of ports that will support or offer this service. If Enabled or Disabled is specified, the ports 
listed will be added to or removed from the current list, respectively. If neither option is specified, the new 
port list will replace the old port list. Note that ports offering a service must be in the correct access mode 
for connections to succeed. 



Restrictions 
Parameters 



Requires privileged user status. 
PortList/All 

Specifies a particular port or group of ports, or all ports. Enter each port 
number as an integer between 1 and 16. Port numbers should be separated 
(for lists) or dashes (for ranges). 



Note : In the absence of a PortList or the All parameter, the configuration will affect the 
current port only. 

Defaults Disabled 

Examples Local» SET SERVICE lab5 PORTS 3,4,7-8 ENABLED 

See Also Clear/Purge Service, page -93; Set/Define Ports Access, page -39 
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1 1 .9.9 Set/Define Service Postscript 



SET IsERVICE ServiceName POSTSCRIPT-^ ENABLED 



DEFINE J [ DISABLED 



If enabled, the unit will assume there is a PostScript printer attached to the service ports and will try to 
ensure a job is done before starting another. It will send a Ctrl-D to the attached device and wait for the new 
printer to return a Ctrl-D before starting the job transfer. If this is not done, slower printers may lose new 
jobs while interpreting the previous job. Setting PostScript mode is strongly recommended for all PostScript 
queues. 



Restrictions 
Defaults 
See Also 



Requires privileged user status. 
Disabled 

Clear/Purge Service, page -93 



1 1 .9.1 0 Set/Define Service PSConvert 



SET SERVICE ServiceName PSCONVERT ENABLED 
DEFINE J [ DISABLED 



Controls whether the unit will place a PostScript wrapper around each job. The unit will try to detect if it is 
already a PostScript job, in which case it would not add an additional wrapper. 



See Also 



Clear/Purge Service, page -93 



1 1 .9.1 1 Set/Define Service RTEL 



DEFINE 



SET [-SERVICE ServiceName RTElJ CABLED 



DISABLED 



Enables or disables RTEL access to the specified service. 
Restrictions Requires privileged user status. 

Defaults Enabled 
See Also Clear/Purge Service, page -93 
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1 1 .9.1 2 Set/Define Service SOJ 



SET IsERVICE ServiceName SON StartStnng 
DEFINE I NONE 



Specifies a string to be sent to the attached device at the start of every access regardless of network protocol. 
Restrictions Requires privileged user status. 



Parameters 



Examples 
See Also 



StartString 

Any ASCII characters, or a backslash and two hex digits. 
None 

Clears any previously-configured string. No string is configured by default. 

Local» DEFINE SERVICE myserv SOJ \45 

Clear/Purge Service, page -93 



1 1 .9.1 3 Set/Define Service TCPport 



DEFINE 



SET l-SERVICE ServiceName TCPPORT<! SocketNum 



NONE 



Associates a TCP listener socket with the given service. TCP connections to this socket will be connected 
to the service. 



Restrictions 
Parameters 



Defaults 
See Also 



Requires privilegd user status. 
SocketNum 

A particular socket. The socket number can be an integer from 4000 to 4999. 
None 

Clears the current socket number. 
None 

Clear/Purge Service, page -93 
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1 1 .9.1 4 Set/Define Service Telnetport 



SET ^SERVICE ServiceName TELNETPORT^ SocketNum 



DEFINE NONE 



Associates a TCP listener socket with the given service. TCP connections to this socket will be connected 
to the service. Unlike the TCPport option, a Telnetport socket will do Telnet IAC negotiations on the data 
stream. 



Restrictions 
Parameters 



Requires privileged user status. 
SocketNum 

A particular socket. The socket number can be an integer from 4000 to 4999. 
None 

Clears the curent socket number. 



Defaults 
See Also 



None 

Clear/Purge Service, page -93 



1 1 .9.1 5 Show/Monitor/List Services 





SHOW 




LOCAL 


CHARACTERISTICS 






MONITOR 


> SERVICES 


service 


SUMMARY 






LIST 




ALL 


STATUS 





This command is used to display the characteristics of the services on the network. Remember that this list 
is masked by the services that this port is eligible to see — users will not see services they cannot connect to. 



Restrictions 
Parameters 



You must be the privileged user to use the Monitor command. 
Local 

Displays those services local to this server, whether available or not. 



service 

Specifies a particular service. Numbers and wildcards are permitted. 
All 

Displays all known services usable by the current port. 
Characteristics 

Displays information about the known (local and remote) services. 
Information includes service rating, group code, and if the service is local, the 
service ports and service flags (such as Queueing and Connections). 
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Summary 

Displays one-line summary information for the specified services. 
Status 

Displays full information for the specified services including network address, 
protocol version, and other services that node offers. 

Examples Local> SHOW SERVICE lab5_prtr STATUS 

Local> MONITOR SERVICE LOCAL SUMMARY 

See Also Clear/Purge Service, page -93 
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11.10 Server Commands 

11.10.1 Initialize Server 





CANCEL 






DELAYdelay 




INITIALIZESERVER< 


FACTORY 






NOBOOT 






RELOAD 





Controls unit initialization and behavior after the unit is booted. When the server is initialized, all changes 
made using Set commands will be lost unless corresponding Define or Save commands were also made. 

Restrictions Requires privileged user status. 

Parameters Cancel 

Cancels any pending initialization. 

Delay 

Schedules the initialization to take place after a specified number of minutes. 
Must be used in conjunction with the delay parameter. 

delay 

An integer between zero and 120, representing seconds before the intialization. 
Zero specifies an immediate reboot. 

Note: Show/Monitor/List Server will display the time remaining before a scheduled 
initialization. 

Factory 

Reloads the factory settings. All configurations made with the Define and Save 
commands will be cleared and will have to be reconfigured. 

Noboot 

Forces the unit to remain in the Boot Configuration Program (BCP) instead of 
booting. 

Reload 

On Flash ROM equipped units, re-downloads the operational code and 
reprograms the Flash ROM. 

Examples Locai» initialize delay 2 

Local» INITIALIZE RELOAD FACTORY DELAY 12 
Local» INITIALIZE FACTORY 
Local» INITIALIZE CANCEL 



See Also 



Rebooting the unit, page 2-4; Reloading Operational Software, page 2-5 
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1 1 .1 0.2 Set/Define Server Altprompt 



SET ' SERVER ALTPROMPT ' ENABLED 



DEFINE J [ DISABLED 



Enables or disables the alternate UNIX-like prompts at login time. When enabled, the "Username>" prompt 
is changed to "login:" and the "Password>" prompt is changed to "Password:." 

Defaults Disabled 

See Also Set/Define Server Prompt, page -109 

1 1 .1 0.3 Set/Define Server BOOTP 



SET SERVER BOOTP > ENABLED 



DEFINE J I DISABLED 



Enables or disables querying for a BOOTP host at system boot time. 
Restrictions Requires privileged user status. 

Defaults Enabled 
See Also Your unit Installation Guide 

1 1 .1 0.4 Set/Define Server Broadcast 



SET ' SERVER BROADCAST > ENABLED 



DEFINE J I DISABLED 



Enables or disables broadcasts from the server's ports. 

Restrictions Requires privileged user status. 

Defaults Enabled 

See Also Broadcast, page -5 
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1 1 .1 0.5 Set/Define Server Buffering 



SET 
DEFINE 



SERVER BUFFERING buffer size 



Specifies the size of the buffer (in bytes) used for TCP/IP connections. The size can be increased for large 
data transfers such as file transfers. 



Restrictions 
Parameters 

Defaults 
Examples 



Requires privileged user status, 
buffersize 

Specify the buffer size in bytes between 128 and 8192. 
(VERIFY for each unit) 

Local» SET SERVER BUFFERING 1024 



1 1 .1 0.6 Set/Define Server Clock 



SET 
DEFINE 



SERVER CLOCK time date 



Manually sets, the date and time information on the server clock. (VERIFY which devices this is applicable 
to) 



Restrictions 
Parameters 



Examples 
See Also 



Requires privileged user status. 



time 



Enter the time in 24-hour hh:mm:ss format. Entering seconds is optional, 
date 

Enter the date in mm/dd/yyyy format. 

Local» SET SERVER CLOCK 13:23 0/3/15/1995 

Set/Define IP Timeserver, page -28; Show/Monitor/List Server Clock, page 
114; Show/Monitor/List Timezone, page -115; Setting the Data and Time, 
page 2-8 
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1 1 .1 0.7 Set/Define Server Host Limit 



SET 



■ SERVER HOST [limIt! 
DEFINE ) L J I NONE 



limit 



Sets the maximum number of TCP/IP hosts learned from Rwho that the server will keep information for. 
Hosts from the preset host table are exempt from this limit. If the new limit is less than the current limit and 
the host table is full, the limit will be slowly weeded down to the new value. 



Restrictions 



Parameters 



Defaults 
Examples 



Requires privileged user status, 
limit 

A value between 0 and 200. 
None 

No limit is set. 
200 hosts 

Local» SET SERVER HOST LIMIT 6 



1 1 .1 0.8 Set/Define Server Inactivity 



SET 
DEFINE 



SERVER INACTIVITY [timer] limit 



Sets the period of time after which a port with Inactivity Logout enabled is considered inactive and is 
automatically logged out. 



Restrictions 
Parameters 

Defaults 
Examples 
See Also 



Requires privileged user status, 
limit 

Enter an inactivity period of 1 to 120 minutes. 
30 minutes 

Local» DEFINE SERVER INACTIVITY LIMIT 20 

Set/Define Ports Inactivity Logout, page -52 
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1 1 .1 0.9 Set/Define Server Incoming 





TELNET 




I SET I SERV ER INCOMING < 


NONE 


■ 


[ DEFINE J 


PASSWORD 






NOPASSWORD 





Allows or denies incoming Telnet connections and enforces password protection if desired. The Show 
Server command shows the status of incoming connection parameters. 

The status of the Incoming Telnet also controls incoming Rlogin sessions from remote hosts — the Set/ 
Define Server Rlogin command controls outgoing Rlogin connections. 



Restrictions 
Parameters 



Defaults 



Requires privileged user status. 
Telnet 

Enables incoming Telnet connects (logins) to the server. 
None 

Prevents all login attempts. 
Password 

Requires incoming Telnet login attempts to supply the server login password 
before being logged in. 

NoPassword 

Incoming Telnet logins are permitted and are not prompted for the login 
password before connecting. 

Telnet 
NoPassword 



Note: The default incoming password is "access. " See the Set/Define Server Login 
Password command for more information. 

Examples Locai» set server incoming telnet incoming password 

(sets up password protected Telnet logins) 

See Also Set/Define Server Rlogin, page - 1 10; Set/Define Server Login Password, page 

-106; Login Password, page 7-10 



11.10.10 Set/Define Server Loadhost 



SET 
DEFINE 



SERVER LOADHOST IP address 
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Specifies the host to be used for downloads from TCP/IP hosts. The host name must be a numeric IP-style 
address. The unit requests its run-time code from this host. 



Restrictions 
Parameters 

Examples 
See Also 



Requires privileged user status. 
IPaddress 

An IP address in standard numeric format (for example, 193.0.1.50). 

Local» DEFINE SERVER LOADHOST 193.23.71.49 

Your unit Installation Guide 



11.10.11 Set/Define Server Lock 



DEFINE 



SET 'SERVER LOCK 1 ENABLED 



DISABLED 



Controls whether or not local users are permitted to Lock their ports. 
Restrictions Requires privileged user status. 

Defaults Enabled 
See Also Locking a Port, page 7-9 

11.10.12 Set/Define Server Login Password 



SET 
DEFINE 



SERVER LOGIN [PASSWORD] [password\ 



Specifies the password that is used to log in to the server from the serial ports or the network. If the password 
is not given on the command line, you will immediately be prompted to enter the password, which will not 
be displayed when typed. 

The login password is only required on ports that have been Password Enabled. 
Restrictions Requires privileged user status. 

Parameters passwd 

Enter a password of 16 or fewer characters. 

Note: unit passwords are case-independent, even when enclosed in quotes. 
Defaults "access" 
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Examples 



See Also 



Local» SET SERVER LOGIN PASSWORD 
Password> platyp (not echoed) 
Verif ication> platyp (not echoed) 
Local>> 

Set/Define Server Incoming Password, page -105; Login Password, page 7-10 



11.10.13 Set/Define Server Name 



SET 
DEFINE 



SERVER NAME ServerName 



Specifies the name of the unit. The name string must be in quotes if lowercase characters are used. 



Restrictions 
Parameters 

Defaults 

Examples 
See Also 



Requires privileged user status. 
ServerName 

Assign a name to the unit, 16 alpahanumeric characters or less. 

unit_xxxxxx where xxxxxx represents the last 3 segments of the unit's 
hardware address. 

Local» SET SERVER NAME "docserver" 

Changing the unit Server Name, page 2-7 



11.10.14 Set/Define Server Nameserver 



SET 
DEFINE 



SERVER NAMESERVER IPaddress 



Specifies the IP address of the name server (if any) for TCP/IP connections. This host will attempt to resolve 
text hostnames into numeric form if the local host table is unable to do so. 



Restrictions 
Parameters 

Examples 
See Also 



Requires privileged user status. 
IPaddress 

The network address of the nameserving host, in numeric IP format. 

Local» SET SERVER NAMESERVER 192.0.1.4 9 

Set/Define IP Host Limit, page -23; Set/Define IP Nameserver, page -24; 
Configuring the Domain Name Service (DNS), page 5-8 
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11.10.15 Set/Define Server Password Limit 



SET 



SERVER PASSWORD [liMIt! 
DEFINE J I NONE 



limit 



Limits the number of failures allowed when issuing the Set Privileged command. After limit retries, the port 
will be logged out. The user can abort the password process by typing Ctrl-Z instead of the password. 
(VERIFY - shouldn't this be with Set Privileged?) 



Restrictions 
Parameters 



Defaults 
Examples 
See Also 



Requires privileged user status, 
limit 

A value between 0 and 100. If zero is specified, the port is never logged out for 
too many password failures. 

None 

Sets the password limit to the default value. 
3 tries 

Local» SET SERVER PASSWORD LIMIT 10 

Set Privileged/Noprivileged, page -69 



11.10.16 Set/Define Server Privileged Password 



SET 
DEFINE 



SERVER PRIVILIGED [ PA SSWORd] [ passwd ] 



Sets the password for becoming the "superuser" of the server. If the password is not given on the command 
line, you will immediately be prompted to enter the password, which will not be displayed when typed. 

Restrictions Requires privileged user status. 

Parameters passwd 

Enter a password of 16 or fewer characters. 

Note: unit passwords are case-independent, even when enclosed in quotes. 
Defaults "system" 

Examples Locai» set server privileged password "yodel" 

Local» SET SERVER PRIVILEGED 
Password: ok2bin (not echoed) 
Verify: ok2bin (not echoed) 
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See Also Set Privileged/Noprivileged, page -69; Privileged Password, page 2-6 

11.10.17 Set/Define Server Prompt 



SET 
DEFINE 



SERVER PROMPT PromptString 



This command allows the manager to change the prompt that users see from the default Local_x> string. A 
string of up to 16 characters long can be configured, and should be enclosed in quotes. 



Restrictions 
Parameters 



Defaults 
Examples 



Requires privileged user status. 
PromptString 

The following parameters can be included in the prompt string: 



String 


Affect on Prompt 


%p 


Substitutes the current port's name 


%n 


Substitutes the current port's number 


%s 


Substitutes the current server name 


%D 


Substitutes the product name (unit2, unit4, 
etc.) 


%C 


Substitutes the company name (SMC) 


%S 


Substitutes the current session name 


%P 


Substitues a > if user is currently privileged 


%% 


Substitutes a percent sign (%) 



Local_%n%P 

(shown with the prompt that might result on the next line) 

Local» SET SERVER PROMPT "Port %n:" 

Port 3: SET SERVER PROMPT "%D:%S!" 

SMC2 : LabServ ! SET SERVER PROMPT "%p%S_%n%P%%" 

Port_5 [NoSession]_5>% SET SERVER PROMPT "Lcl_%n>%P" 

Lcl 3» 



See Also 



Changing the unit Local Prompt on page 2-7 
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11.10.18 Set/Define Server RARP 

f SET } SERVER RARP { ENABLED l 
[ DEFINE J [ DISABLED J 

Enables or disables querying for a RARP host at system boot time. 
Restrictions Requires privileged user status. 

Defaults Enabled 
See Also Your Installation Guide 

11.10.19 Set/Define Server Rlogin 

I SET I SERVER RLOGIN \ ENABLED L 
[ DEFINE J [ DISABLED J 

Restricts the use of the Rlogin command from the server. If Rlogins are disabled, you may not Rlogin to 
remote hosts. Incoming Rlogin connections may still be permitted, depending on the current Set/Define 
Server Incoming setting. 

Restrictions Requires privileged user status. 

Defaults Disabled 

1 1 .1 0.20 Set/Define Server Session Limit 

SET I SERVER SESSION [limit] J limit \ 
{ DEFINE J 1 NONE J 

Sets the limit on active sessions per port. Each port can have an additional limit less than or equal to this 
limit. 

Restrictions Requires privileged user status. 

Parameters limit 

A number between zero and 8. 

None 

The maximum possible session limit is used (8). 
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Defaults 
See Also 



4 sessions 
Sessions, page 7-4 



1 1 .1 0.21 Set/Define Server Software 



SET 
DEFINE 



SERVER SOFTWARE filename 



Specifies the name of the download software file (if any) the server will attempt to load at boot time. For 
IP-loading hosts, this is the file that will be requested at boot time. This command is only useful if it is 
Defined; if it is Set, it will be cleared/reset at boot time. 

For TFTP loading, the complete path of the file can also be specified if the file is located in a directory other 
than the default. The path name can be up to 3 1 characters in length not counting the file name. The full path 
must be enclosed in quotes to preserve case. 



Restrictions 
Parameters 

Examples 
See Also 



Requires privileged user status, 
filename 

Load file name, 15 characters or less. The server will automatically add the 
".SYS" extension to the name. 

Local» DEFINE SERVER SOFTWARE SMC 

Local» DEFINE SERVER SOFTWARE "/usr/rich/tscode" 

Set/Define Server Loadhost, page -105; Editing Boot Parameters, page 2-5; 
Your unit Installation Guide 



1 1 .1 0.22 Set/Define Server Startupf ile 



SET 
DEFINE 



SERVER STARTUPFILE 



host filename [reTRY retrynum] 
NONE 



Configures the startup configuration file that the unit will attempt to download at boot time. This file 
contains the unit commands that will configure the server before the users and services are started. If no 
retry limit is specified in the command, the unit will retry failed downloads forever; otherwise it will retry 
the specified number of times and then boot normally. 

Telnet consoles are available at the time the server attempts to download the startupfile; if there is a problem 
with the download, you can still log into the server and determine what went wrong. 

Restrictions Requires privileged user status. 
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Parameters 



Defaults 

Examples 
See Also 



host 

An IP address, or a text host name that is resolvable at boot time, 
filename 

A startup file name of up to 47 characters. 
Retry 

Configures the server retry limit. Must be used with the retrynum parameter, 
retrynum 

The number of times to retry the download attempt. The maximum number of 
retries is 1000. If a retrynum is not specified, the unit will retry 5 times (the 
default). 

None 

Clears any specified startup file. 

Startupfile: none specified 
Retries: 5 

Local» DEFINE SERVER STARTUPFILE "bob: start" RETRY 6 

Editing Boot Parameters, page 2-5; Your unit Installation Guide 



1 1 .1 0.23 Set/Define Server Timezone 



SET 
DEFINE 



SERVER TIMEZONE 



timezone 

STDzone time \j)STzone time ChangeTime ReverTime\ 
NONE 



Manually sets the timezone for the unit. 



Restrictions 
Parameters 



Requires privileged user status, 
timezone 

A pre-configured timezone name. Use the Show/Monitor/List command to see 
a list of available timezone names. 

STDzone 

A three-letter timezone name that represents your Standard Time zone (for 
example, use PST for Pacifici Standard Time). Must be used in conjunction 
with the time parameter. 

DSTzone 

A three-letter timezone name that represents your Daylight Savings Time zone 
(for example, use PDT for Pacific Daylight Time). Must be used in conjunction 
with the time parameter. 
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time 

The time difference from Greenwich Mean Time, entered as h:mm. Entering 
the minutes is optional. 

ChangeTime 

Enter the month, day, and time of day that the change to DST occurs, 
separating each element by a space (see the examples below). For the month, 
enter the first three letters of the month. For the day, recognized forms include: 



5 


The fifth day of the month 


lastSun 


The last Sunday in the month 


Sun>=8 


The first Sunday on or after the 8th of the month 


Sun<=25 


The last Sunday on or before the 25th of the month 



For the time of day, use the same format as used for the time parameter. 
RevertTime 

Enter the month, day, and time of day 
None 

Specifies that no timezone will be used. 

Examples Locai» define server timezone america/eastern 

Local» DEFINE SERVER TIMEZONE HST -10 

Local» DEFINE SERVER TIMEZONE MET 1:00 MET-DST 1:00 Mar lastSun 2:00 
Sep lastSun 2:00 

(In the last example above, MET is the STDzone, and MET-DST is the 
DSTzone, both of which are one hour off of Greenwich Mean Time. The 
change to DST occurs on the last Sunday in March at 2:00, and it 
reverts back to standard time on the last Sunday in September at 2:00.) 

See Also Set/Define Server Clock, page -103; Show/Monitor/List Timezone, page -115 



11.10.24 Set/Define Server UUCP 



SET 1 SERVER UUCP j ENABLED 1 
DEFINE J [ DISABLED J 



Enables or disables the UUCP handler on the unit. If enabled, the unit will listen to TCP/IP port 540 and 
attempt to connect any logins there to a service called "UUCP" (typically a serial line with an attached 
modem). If this service is nonexistent, the connection will be closed. 

Restrictions Requires privileged user status. 

Defaults Disabled 
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1 1 .1 0.25 Show/Monitor/List Server 



SHOW 
MONITOR 
LIST 



y SERVER 



BOOTP ARAMS 
CLOCK 
COUNTERS 
TIMEZONE 



This command is used to display the global attributes or counters for the server itself. 
Restrictions 



Parameters 



You must be the privileged user to use the Monitor command. The List Server 
command can only be used with the Bootparams parameter. 

Bootparams 

Displays parameters related to rebooting the unit and reloading the software 
file. 

Clock 

Displays the local time and date and the UTC (GMT) time and date. 
Counters 

Counters can be reset to zero with the Zero Counters All command. Displays 
the accumulated error counters for the Ethernet and TCP/IP protocols. The 
four-digit bit position numbers represent one of the network error reasons 
listed below: 

Table 11-2: Server Failure Reasons 



Bit Send Failure Reason 



Receive Failure Reason 



0 Unused, should be 0 

1 Unused, should be 0 

2 At least one collision has 
occurred while transmitting 

3 Transmit aborted due to excessive 
(more than 16) network collisions 

4 Carrier sense was lost during 
transmission 



FIFO underrun: Ethernet 
controller could not access 
transmit data in time to send it 
out 



Unused, should be 0 

Packet received with CRC error 

Received packet did not end on byte 
boundary 

FIFO overrun: Could not write 
received data before new data arrived 

Receive packet could not be 
accommodated due to lack of receive 
buffers 

Received a packet larger than the 
maximum Ethernet size (1536 bytes) 
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Table 11-2: Server Failure Reasons 



Bit 


Send Failure Reason 


Receive Failure Reason 


6 


CD heartbeat not received after 


Unused, should be 0 




transmission 




7 


Out-of-window collision detected 




8-15 


Unused, should be 0 





Timezone 

Displays the timezone if a timezone has been specified. 

Examples Locai> show server bootparams 

See Also Set/Define Server Clock, page -103; Setting the Data and Time, page 2-8 

1 1 .1 0.26 Show/Monitor/List Timezone 





SHOW 






MONITOR 


■ TIMEZONE 




LIST 





Displays a table of timezone abbreviations which can be used to select a timezone for the server. 
Restrictions You must be the privileged user to use the Monitor command. 

See Also Setting the Data and Time, page 2-8 

1 1 .1 0.27 Show/Monitor Users 



SH0W 1 USERS 
MONITOR J 



Displays the current users logged onto the server. For each user, the unit displays the port username and 
current connection information. 

Restrictions You must be the privileged user to use the Monitor command. 

Errors List Users will cause an error. 
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11.10.28 Source 

SOURCE host-filename [vERIFy] 

Source attempts to download a configurationfile from a TFTP host. The file is assumed to be lines of server 
commands which will be executed. The Source command is most useful for trying out a configuration file 
before using the Set/Define Server Startupfile command, discussed on page -111. 

Restrictions Requires privileged user status. 

Parameters host 

Enter a TFTP host (text host name or IP address). 

filename 

The download path and filename, 22 characters maximum. 
Note: If filename contains lower-case letters, it must be enclosed in quotation mar5ks. 
Verify 

Displays each command from the configuration file before executing it. 
Examples Local> SOURCE "labsun: start, com" 

See Also Set/Define Server Startupfile, page - 1 1 1 
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11.11 Site Commands 

11.11.1 Define Site Authentication 



DEFINE SITE SiteName AUTHENTICATION 



CHAP 




ENABLED 


PAP 






DISABLED 


PROMPT 






ENABLED 


DIALBACK- 


DISABLED 




INSECURE 


LOCAL 


| NONE 


REMOTE 


[ password 


USERNAME 


| NONE 




[ username 



Defines authentication information, such as site names and passwords, for link protocols that support 
authentication (for example, PPP). 

Restrictions Requires privileged user status. 

Parameters SiteName 

A site name of up to 12 characters. 

CHAP 

Enables or disables the Challenge Handshake Authentication Protocol for 
outgoing calls. 

PAP 

Enables or disables the Password Authentication Protocol for outgoing calls. 
Note: CHAP and PAP are part of PPP. 
Prompt 

When Prompt is enabled, incoming callers will be prompted for the local 
password before starting PPP or SLIP. 
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Dialback 

If Dialback is enabled, when the site receives an incoming connection, the unit 
will hang up and initiate an outgoing connection to verify the caller's identity. 
If Insecure dialback is enabled, the caller may be given the option of specifying 
the dialback telephone number. 

The site must have at least one port and a telephone number defined for the 
outgoing connection (See Define Site Port). 

Insecure 

Allows CBCP-aware PPP clients the option of choosing their own number for 
dialback. Be sure to read the cautions listed under Dialback Using CBCP on 
page 10-7. 

Local 

Defines the password required from the remote host. Must be used in 
conjunction with the None or password parameters. 

Remote 

Defines the password to be sent to the remote host. Must be used in 
conjunction with the None or password parameter. 

Username 

Define the username to be sent to the remote site. Must be used in conjunction 
with the None or username parameters. 

None 

Specifies that a password or username will not need to be used, 
password 

A password of up to 10 alphanumeric characters, 
username 

A username of up to 10 characters. 

Defaults Dialback, Prompt, CHAP, and PAP: Disabled 

Local, Remote, and Username: None (no password or username defined) 

Examples Local» DEFINE SITE irvine AUTHENTICATION CHAP ENABLED 

Local» DEFINE SITE irvine AUTHENTICATION REMOTE NONE 

See Also Set/Define Authentication, page -137; Show/Monitor/List Authentication, 

page -159; Chapter 10, Security 
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1 1 .1 1 .2 Define Site Bandwidth 



DEFINE SITE SiteName BANDWIDTH 



ADD 
REMOVE 

DEFAULT 

INITIAL 1 



utilization 



MAXIMUM 



BytesPerSecond 



PERIOD 
HOLDDOWN 



seconds 



Sets the initial or maximum amount of bandwidth that should be used when connecting to the specified site. 
Also controls how the unit calculates the bandwidth needed, and how often it is checked to see if it is within 
the desired range. 

This command is only useful when Multilink (bandwidth on demand) is enabled. See Define Ports PPP 
Multilink on page -58 and Bandwidth On Demand on page 4-6 for more information. 



Restrictions 
Parameters 



Requires privileged user status. 
SiteName 

A site name of up to 12 characters. 
Add 

Attempts to add bandwidth whenever usage reaches a specified percentage. 
Must be used in conjunction with the utilization parameter. 

Remove 

Removes bandwidth when usage falls below a certain percentage. Must be 
used in conjunction with the BytesPerSecond parameter. 

utilization 

The percentage of usage above which the unit will attempt to add bandwidth 
and below which the unit will remove bandwidth. 



Default 

Returns the bandwidth to the unit's default setting. 
Initial 

Sets the initial amount of bandwidth. Must be used in conjunction with the 
BytesPerSecond parameter. 

Maximum 

Sets the maximum amount of bandwidth. Must be used in conjunction with the 
BytesPerSecond parameter. 
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BytesPerSecond 

The precise bandwidth amount, up to 6,550,000 bytes per second. The server 
will add ports until it reaches the specified amount. 

BytesPerSecond is truncated to the nearest 100. For example, a setting of 3840 
is truncated to 3800. 

A BytesPerSecond value below of 99 or less truncates to zero, disabling 
bandwidth. 

Period 

Sets the number of seconds (specified by the seconds parameter) used to 
calculate average utilization statistics. The value is expressed as percent usage 
over a period of time. 

Holddown 

Specifies the minimum amount of time, in seconds, after adding or removing 
bandwidth to the remote site before bandwidth can be adjusted again. Must be 
used in conjunction with the seconds parameter. 

Adding bandwidth after it has been removed or removing bandwidth after it 
has been added requires double the number of seconds. For example, if a 
holddown value of 5 is specified, adding bandwidth after it has been removed 
will require a 10 second delay. 

Defaults Add and Remove: Disabled (utilization = 0). 

Default: bring up one port. 

Initial and Maximum: 100 bytes per second. 

Period: 60 seconds. 

HoldDown timer: 60 seconds. 

Examples Local» DEFINE SITE irvine BANDWIDTH INITIAL 123 

Local» DEFINE SITE irvine BANDWIDTH ADD 50 
Local» DEFINE SITE irvine BANDWIDTH PERIOD 6 

See Also Define Ports PPP Multilink, page -58; Define Site Port Bandwidth, page -128; 

Show/Monitor/List Sites Bandwidth, page -133; Bandwidth On Demand, page 
4-6 
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11.11.3 Define Site Chat 







AFTER LineNum 




[TIMEOUT seconds^ EXPE CT string j 




DEFINE SITE SiteName CHAT < 




BEFORE LineNum 


• 


[ FAIL J " 


• 






REPLACE LineNum 




SEND string 










DELETE LineNum 





Configures a chat script to automate the login sequence when connecting to a remote site. Chat scripts are 
a set of commands that send data to the remote site and wait for certain replies after the modems (if any) 
have connected. Based on the replies, other commands are executed. 



Restrictions Requires privileged user status. 

Parameters SiteName 

Enter a site name of up to 12 characters. 

After 

Inserts a line after another line. 
Before 

Inserts a line before another line. 
Replace 

Replaces a line with another line, specified with the LineNum parameter. 
The default is to append information to the end of the script. 
Timeout 

Sets the time to wait before commands, or the number of times to wait for input 
on a command before giving up. Must be used in conjunction with the seconds 
parameter. 

seconds 

A number of seconds or tries between zero and 65500. 
Expect 

Looks for a string before executing the next line of the script, 
string 

The following special characters can be used in CHAT script expect strings, 
which are case-sensitive. 



String 


Meaning 


String 


Meaning 


\N (0x0 hex) 


Newline 


\b (0x8 hex) 


Backspace 
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String 


Meaning 


String 


Meaning 


Vr (Oxd hex) 


Return 


\n (Oxda hex) 


Newline 


\t (0x14 hex) 


Tab 


\\ (0x5c hex) 


\ 


\s (0x20 hex) 


Space 


\octal 


Octal value (i.e., \101 = "A") 



Fail 

Uses the number specified as the Timeout seconds parameter to set the number 
of times the search for a string (specified with the Expect parameter) can fail 
before the whole script will give up. Each time the Expect command fails, the 
script continues at the last Fail command. This permits looping while waiting 
for a given prompt. 

A sample script is displayed below. 

Local» DEFINE SITE irvine CHAT TIMEOUT 4 FAIL 
Local» DEFINE SITE irvine CHAT SEND 

Local» DEFINE SITE irvine CHAT TIMEOUT 2 EXPECT "login:" 

This script will send a newline and wait for the string "login:" for two seconds. 
If found, the script will continue. If not, the script will search again three times 
before failing. 

Send 

Sends the specified string, followed by a newline character (Oxd hex, 13 
ASCII). If a string is not specified, only a carriage return is sent. 

Delete 

Removes a line. 

LineNum 

The line to remove. 

Defaults Timeout: 0 (None defined) 

marker and string: not defined 

Examples Locai» chat replace i expect "login:" 

Local» CHAT DELETE 1 

Local» CHAT TIMEOUT 2 EXPECT "login:" 
Local» DEFINE SITE irvine CHAT SEND "hello?" 

Local» DEFINE SITE irvine CHAT REPLACE 4 TIMEOUT 3 EXPECT "login:" 

See Also Show/Monitor/List Sites Chat, page -133; Chat Scripts, page 4-5 
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11.11.4 Define Site Filter 





IDLE 




DEFINE SITE SiteName FILTER' 


INCOMING 


J filtername I 




OUTGOING 


1 NONE J 




STARTUP 





Configures packet filters for the site. If a particular packet filter is not configured, all packets are considered 
matches of that filter type and are accepted. For example, if no incoming packet filter is configured, all 
packets will be accepted as incoming packets and will be allowed in. 

Restrictions Requires privileged user status. 

Parameters SiteName 

Enter a site name of up to 12 characters. 

Idle 

Configures the packet filter that resets the idle timer. Packets that pass this 
filter will reset the timer, keeping the site from timing out and disconnecting. 
Must be used in conjunction with the filtername parameter. 

Incoming 

Configures the packet filter for packets that come into the unit from the remote 
site. Packets that do not pass this filter will be dropped. Must be used in 
conjunction with the filtername parameter. 

Outgoing 

Configures the packet filter for packets going from the unit to the remote site. 
Packets that do not pass this filter will be dropped. Must be used in conjunction 
with the filtername parameter. 

Startup 

Configures the packet filter for regulating connections. Packets that pass this 
filter can cause the site to initiate a connection. Packets that do not pass this 
filter will be dropped if a link is not already in place, but will continue to their 
destination if a link has already been established. Must be used in conjunction 
with the filtername parameter. 

filtername 

Sets the filter to be used for a specific type of packet filtering. Filter names 
must be 3 characters or fewer. 

None 

Clears any previously-set filter for that site. 

Examples Local» DEFINE SITE irvine FILTER IDLE a3f 

Local» DEFINE SITE irvine FILTER IDLE mOO 
Local» DEFINE SITE irvine FILTER IDLE gb 



11-123 



Site Commands 



See Also 



Set/Define Filter, page -149; Show/Monitor/List Filter, page -160; Filter Lists, 
page 4- 1 



11.11.5 Define Site Idle 



DEFINE SITE SiteName IDLE seconds 



Sets the maximum time, in seconds, that the specified site may be idle before the link is shut down ("timed 
out"). 

Note: The unit must be idle for at least 10 seconds before the link can be shut down. 
Restrictions Requires privileged user status. 

Parameters SiteName 

Enter a site name of up to 12 characters. 

seconds 

The maximum length of time (specified by an integer between 10 and 65,000) 
that the site can remain idle before the link disconnects. A time setting of 0 will 
disable timeouts. 

Defaults Idle time: 600 seconds. 

Examples Local» DEFINE SITE irvine IDLE 600 

See Also Define Site Filter Idle, page -123; Set/Define Server Inactivity, page -104; 

Reducing Cost, page 4-12 
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11.11.6 Define Site IP 



DEFINE SITE SiteName IP 



ENABLED 
DISABLED 



ADDRESS 



COMPRESS 



DEFAULT 



NETMASK 



REMOTE ADDRESS 



address 
NONE 

ENABLED 
DISABLED 

ENABLED 
DISABLED 

mask 
NONE 



address [address 
NONE 



RIP 



ENABLED 
DISABLED 

LISTEN j ENABLED 
SEND 1 DISABLED 

METRIC cost 
UPDATE time 

SLOTS SlotNum 
UNNUMBERED 



Configures the Internet Protocol (IP). 



Restrictions 
Parameters 



Requires privileged user status. 
SiteName 

Enter a site name of up to 12 characters. 
Enabled/Disabled 

Enables or disables the site's use of IP. May be used instead of packet filters to 
prevent all IP packets from being forwarded. 

Address 

Sets the IP address (specified with the address parameter) on this server's IP 
interface. 

Compress 

Enables or disables header compression for the specified protocol. 
Default 

Advertises this server as the default route to the remote host. 
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Netmask 

Sets the IP Netmask on this server's IP interface, 
mask 

A value that is used to remove bits that you do not want. 
Remoteaddress 

Sets the IP address (specified with the address parameter) of the remote host. 
If two address are specified, it indicates an acceptable range of addresses for 
the remote host. 

Callers cannot use IP addresses with the host part of the address set to zero or 
-1; these addresses are reserved for broadcast packets. If the specified range 
includes such an address (for example, 192.4.5.0 or 192.4.5.255) and a caller 
requests this address, the connection will be denied. 

address 

An IP address in standard numeric format. For example, 192.0.1.3. 
None 

Clears a current IP address, Remoteaddress address, Othermask, or Netmask. 
Unnumbered 

An IP address is not to be expected from the remote site. 
RIP 

Enables or disables RIP parameters, and allows specification of update times 
and hop counts for the interface. 

Enabled/Disabled 

Enables or disables both listen and send at the same time. 
Listen 

Enables or disables RIP listening only. 
Send 

Enables or disables RIP sending only. 
Metric 

Configures the cost ("hop-count") of this interface. Routes learned through this 
interface will have this value added to their metric. Must be used in 
conjunction with the cost parameter. 

cost 

An integer between 1 and 16. 

Note: Metric is commonly used to make a given interface less desirable for backup 
routing situations. 

Update 

Configures the time, in seconds, between sending a RIP packet. Must be used 
in conjunction with the time parameter. 
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Defaults 



Examples 



time 

An integer between 10 and 255 representing the number of seconds between 
updates. 

Slots 

Configures the number of header compression slots. Must be used in 
conjunction with the SlotNum parameter. 

SlotNum 

An integer between 1 and 254. 

IP, Compress, and RIP: Enabled 

Address, Netmask, and Remote Address: None 

Default: Disabled 

RIP Metric: 1 

RIP Updates: every 30 seconds 
Header compression slots: 16 

Local» DEFINE SITE irvine IP SLOTS 16 

Local» DEFINE SITE irvine IP RIP UPDATE 30 

Local» DEFINE SITE irvine IP UNNUMBERED 

Local» DEFINE SITE irvine IP RIP METRIC 4 

Local» DEFINE SITE irvine IP COMPRESS ENABLED 

Local» DEFINE SITE irvine IP FORWARD ENABLED 



See Also 



Set/Define Logging Sites, page -155; Show/Monitor/List Sites, page -133; IP 
Configuration, page 4-3 



11.11.7 Define Site MTU 



DEFINE SITE SiteName MTU MaxSize 



Configures the maximum sized packet that the remote site may send to the unit. Packets larger than this will 
be fragmented by the remote site. 



Restrictions Requires privileged user status. 

Parameters SiteName 

A site name of up to 12 characters. 

MaxSize 

Between 32 and 1522 bytes, inclusive. 

Note: The unit will negotiate MTU with the remote site, so the actual MTU may be 
lower than what is configured. 

Default 

1522 bytes. 

Examples Local» DEFINE SITE irvine MTU 256 
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See Also 



Set/Define IP All/Ethernet MTU, page -20; Chapter 3, Basic Remote 
Networking 



1 1 .1 1 .8 Define Site Permanent 



DEFINE SITE SiteName PERMANENT 



ENABLED 
DISABLED 



Configures a permanently connected site. When enabled, the site connects immediately after the unit boots. 
If the connection is interrupted and the site goes down, the site will reconnect as soon as it is able. 



Restrictions 
Parameters 



Examples 

11.11.9 Define Site Port 



Requires privileged user status. 
Enabled 

Enables the specified site to be permanently connected. 
Disabled 

Disables a permanent connection for a site. 

Local» DEFINE SITE irvine PERMANENT ENABLED 







BANDWIDTH BytesPerSecond 




DEFINE SITE SiteName PORT 


PortList 


telephone] number [ 






ALL 


{ none J 








PRIORITY priorityNum 





Configures a port that a site will use for its outgoing calls. Each port must have a telephone number 
associated with it. If multiple ports are associated with a site, they must be prioritized. 

Note: To purge the port setting from the site, see Purge Site on page -133. 
Restrictions Requires privileged user status. 

Parameters SiteName 

A site name of up to 12 characters. 

PortList/All 

Specifies a particular unit port, a list or range of ports, or all ports. Port 
numbers should be separated with commas (for lists) or dashes (for ranges). 

Note: A port must be defined before the Bandwidth, BytesPerSecond, and Telephone 
parameters can be used. 
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Bandwidth 

Gives the unit a bandwidth estimate for the device (for example, a modem) that 
is attached to the port. Must be used in conjunction with the BytesPerSecond 
parameter. 

Note: See Estimate Each Port's Bandwidth on page 4-7 for more information on how 
to use the port bandwidth setting. 

BytesPerSecond 

The bandwidth value. The value can range from 100 to 6,550,000 bytes per 
second. 

Telephone 

Specifies a telephone number for this port. This number will override the 
number defined for the site as a whole. Must be used in conjunction with either 
the number parameter or the None parameter. 

number 

A telephone "number" of up to 24 characters (characters can be of any type). 
None 

No specific telephone number will be set for this port. 
Priority 

Specifies a priority level for a particular port. Higher priority ports will be 
dialed before ports with lower priority numbers. Must be used with the 
prioritynum parameter. 

priorityNum 

An integer between 1 and 100 representing the priority level of the specified 
port. 

Defaults Bandwidth: 100 bytes per second 

Examples Local» DEFINE SITE irvine PORT 2 TELEPHONE "8675309" 

Local» DEFINE SITE irvine PORT 2 BANDWIDTH 28800 

See Also Define Site Bandwidth, page -119; Show/Monitor/List Sites, page -133; How 

Bandwidth is Controlled, page 4-6 



11.11.10 Define Site Protocol 



DEFINE SITE SiteName PROTOCOL-^ rrr 

I SLIP 



Defines the "line" or "link layer" protocol that this site should use for outgoing calls. Reset the Maximum 
Transmission Unit (MTU) value to the default PPP or SLIP MTU value. 

Restrictions Requires privileged user status. 
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Parameters SiteName 

Enter a site name of up to 12 characters. 

PPP 

PPP will be used for outgoing calls. 
SLIP 

SLIP will be used for outgoing calls. 
Defaults PPP. 

See Also Link Layer Support, page 1-1 ; Incoming Connections on page 3-8 

11.11.11 Define Site Telephone 



DEFINE SITE Sife/YameTELEPHONE< """ we ' 

[ NONE 



Defines the telephone number of the remote site. Before you assign a telephone number, you must associate 
the site with an unit port or ports. 

Restrictions Requires privileged user status. 

Errors An error is returned if there is no port associated with the site. 

Parameters SiteName 

Enter a site name of up to 12 characters. 

number 

A telephone "number" of up to 24 characters. Characters of any type can be 
used. 

None 

No telephone number will be defined for this site. 
Default 

None (no telephone number is defined). 

Examples Local» DEFINE SITE irvine TELEPHONE "8675309" 

See Also Define Site Port Telephone, page -128; Assign a Telephone Number to the Port 

or Site, page 3-15 
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11.11.12 Define Site Time 





ADD day starttime \^ a y^endtime 






DEFAULT • 


ENABLED j 
. DISABLED J 




DEFINE SITE SiteName TIME < 


CLEAR 


number I 
ALL J 






FORCEDIAL 
SESSION limit 
FAILURE seconds 
SUCCESS seconds 





Configures the time ranges during which outgoing connections are allowed from this site, and during which 
bandwidth can be adjusted for this site. 

Restrictions Requires privileged user status. 

Parameters SiteName 

Enter a site name of up to 12 characters. 

Add 

When the Default setting is Enabled (see below), specifies when connections 
are not allowed. When the Default setting is Disabled, specifies when 
connections are allowed. 

day 

Specify the days during which Adding will start and stop. Must be followed by 
both starttime and endtime parameters. If a second day is not specified, it is 
understood that the start time and end time occur on the same day. 

starttime, endtime 

Specify the time when Add will go into effect, and the time when Add will end, 
on the specified day. Times are specified in hh:mm format and are ordered with 
respect to their time settings rather than the order in which they were entered. 
Specified times are combined if appropriate. 

Note: Show/Monitor/List Sites SiteName Time displays the specified time ranges and 
their order. 

Default 

Set the default access parameter for the site. 

If the default is enabled, connections are allowed except during the times 
specified. If the default is disabled, connections are restricted except during the 
times specified. 
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Clear 

Remove a time range, 
number 

A time range to be removed. Time ranges are listed in numerical order. 
All 

Remove all time ranges. 
Forcedial 

Creates a connection, every day, at the time set with the other parameters. 
Session 

Sets the total time, in seconds, that this site can be active before it is logged out. 
Must be used in conjunction with the limit parameter. 

limit 

Specify a time range from 10 to 65,000 seconds. A setting of zero disables the 
session limit. 

Success 

Specifies a delay after a successful connection before another connection will 
be attempted. Must be used in conjunction with the seconds parameter. 

Failure 

Specifies a delay after a failed connection attempt before another connection 
will be attempted. Must be used in conjunction with the seconds parameter. 

Note: The success and failure settings control the time between calls. If the connection 
worked, the unit waits for the success delay to pass before attempting another 
connection. If the connection did not work, the unit waits for the failure delay to 
pass. 

seconds 

A delay time of 1 to 65000 seconds. 
Connection 

Specifies the minimum amount of time, in seconds, after a connection drops or 
fails before attempting to form another connection. Must be used in 
conjunction with the seconds parameter. 

Default: Disabled (connections are allowed only when specified). 
Success: 1 second. 
Failure: 30 seconds. 
Session: 0 seconds (disabled). 

Local» DEFINE SITE irvine TIME ADD mon 8:00 mon 17:00 
Local» DEFINE SITE irvine CLEAR TIME 3 

Set/Define Server Clock, page -103; Set/Define Server Timezone, page -112; 
Show/Monitor/List Sites Time, page -133; Getting Timesetting Information, 
page 4-13 



Defaults 



Examples 
See Also 
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11.11.13 Purge Site 



PURGESITE J SiteName 
ALL 



PORT 



PortNum 
ALL 



Removes a site, or removes ports from a site. 



Restrictions 
Parameters 



Examples 
See Also 



Requires privileged user stats. 
SiteName 

Enter a site name of up to 12 characters. 
All 

When used before the Port parameter, removes all ports from the specified site. 
When used either before the Port parameter or both before and after the Port 
parameter, removes all ports from all sites. 

Port 

Removes a port from a site. Must be used in conjunction with the PortNum or 
All parameters. 

PortNum 

An integer between 1 and 16. 

Local» PURGE SITE irvine PORT 2 

Define Site Port, page -128 



11.11.14 Show/Monitor/List Sites 



SHOW 




MONITOR 


• SITES 


LIST 





STATUS \_SiteName\ 
SiteName 



ALL 
BANDWIDTH 
CHAT 
COUNTERS 
IP 
PORTS 
TIME 



In general, displays information about a specified site. The All keyword is a special case, as described 
below. 



Restrictions 
Parameters 



You must be the privileged user to use this command. 
SiteName 

A particular site name of up to 12 characters. 
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All 



Displays all accumulated statistics for all sites that have started since the unit 
was last booted, not just those that are running. 

Bandwidth 

Displays the specified site's bandwidth configuration and related statistics. 
Chat 

Displays a site's chat script. 
Counters 

Displays a site's counters. 



Displays a site's IP configuration. 
Ports 

Displays a site's ports. 
Time 

Displays time configuration for the specified site, including. 
Status 

Displays statistics for sites that have been active since booting. 



IP 



Examples 



Local> SHOW SITE irvine CHAT 



Local> SHOW SITE irvine IP 



See Also 



Define Site commands, starting on page -117 



11.11.15 Test Site 



TEST SlTESiteName 



Tests a site without having to force packet traffic. When the command is issued, the unit will attempt a 
connection to the site and return basic status. The site must then be shut down manually. 



Errors 



An error will be returned if the site is unavailable. For more detailed 
information, use the Logging feature. 



See Also 



Define Site commands, starting on page -117; Set/Define Logging, page -155; 
Creating a New Site, page 3-2 
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11.12 Security Commands 

11.12.1 Clear/Purge Authentication 



CLEAR 
PURGE 



AUTHENTICATION 



USER 



ALL 

username 

precedence™™ 



Removes information stored in the local authentication database. 



Restrictions 
Parameters 



Examples 
See Also 



Requires privileged user status. 
User 

Clears or purges a user from the local authentication database. 
All 

Clears or purges all users, 
username 

A specific username to clear or purge. 
Precedence 

Clears or purges a given precedence slot. Must be used in conjunction with the 
num parameter. 

num 

A precedence number of 1 through 6. 

Local» CLEAR PURGE AUTHENTICATION USER "bob" 
Local» PURGE AUTHENTICATION PRECEDENCE 2 

Set/Define Authentication, page -137; Set/Define Authentication Unique, page 
-147; Show/Monitor/List Authentication, page -159; Chapter 10, Security. 



1 1 .1 2.2 Clear/Purge Dialback 



CLEAR DIALBACK ALL 
PURGE J I username 



Removes a dialback setting for a particular username, or for all usernames. 
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Restrictions 
Errors 

Parameters 



Examples 



See Also 



Requires privileged user status. 

Clear Dialback will return an error if the specified username isn't found, or if 
All is specified and no entries are configured. 

All 

Clears dialback settings for all usernames. 
username 

Clears dialback settings for the specified username. 

Local» CLEAR DIALBACK ALL 
Local» PURGE DIALBACK robert 

Define Ports Dialback, page -48; Set/Define Dialback, page -148; Show/ 
Monitor/List Dialback, page -159; Dialback, page 10-5. 



11.12.3 Clear/Purge Filter 



CLEAR {pil^TERfiltername 
PURGE J 



Removes a specified packet filter. 

Restrictions Requires privileged user status. 



Parameters 

Examples 
See Also 



filtername 

A particular packet filter to be removed. 

Local» PURGE FILTER abc 

Set/Define Filter, page -149; Show/Monitor/List Filter, page -160; Filter Lists, 
page 4- 1 



11.12.4 Clear/Purge SNMP 



CLEAR SNMp ALL 
PURGE J [ CommunityName 



Removes entries from the SNMP security table. 

Restrictions Requires privileged user status. 
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Parameters 



All 

Removes all SNMP table entries. 



CommunityName 

Enter the name of the SNMP community to be removed. 



Examples 
See Also 



Local» CLEAR SNMP "nycomm" 

Set/Define SNMP, page -158; Set/Define Filter IP, page -152; Show/Monitor/ 
List SNMP, page -161; Appendix B, SNMP Support 



1 1 .1 2.5 Set/Define Authentication 





KERBEROS{options} " 






LOC AL{options} 




\ SET [authentication- 

I DEFINE J 


RADIUS { options } 
SECURlD{options} 

TFTP '{options} 
VmQUE{options} 

VSER{options} 


• 



Configures the authentication system. Logins on ports with authentication enabled will be prompted for a 
username and password pair, which will be checked sequentially against up to six databases: a Kerberos 
database, the unit local database (NVR), a RADIUS server, a SecurlD server, or a UNIX password file 
(TFTP). 

To configure one or more of the six databases, refer to the appropriate command in this section. 

Note: Precedence settings should be configured carefully. If a database is configured 
for a precedence slot that has already been filled by another database, it will take 
over the precedence setting and return all of the previous database's settings to 
their factory defaults. 

Restrictions Requires privileged user status. 

See Also Define Site Authentication, page -117; Chapter 10, Security 
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1 1 .1 2.6 Set/Define Authentication Kerberos 





primary! address 
{ NONE J 








secondary] address \ 
I NONE J 






PRECEDENCE prec_num 






PRINCIPLE string 




I SET [*t TT'trcMTTr' attomfpp RPDn<;, 
[ DEFINE J 


INSTANCE string 
AUTHENTTCATORpassword 






ENCRYPTION^ AFS 
I MIT 








KVNO kvno_num 






MAXTRIES tries 






PORT PortNum 






REALM string 






TIMEOUT num. 





Specifies that a Kerberos database will be used for authentication. Specific Kerberos options are explained 
in detail in the Kerberos section on page 10-1 1. 

Restrictions Requires privileged user status. 

Parameters Primary 

Specifies the first database or server to be checked. A specific address may be 
set with the address parameter, or the None parameter may be used to indicate 
that the database or file will not be used. 

If the unit fails to authenticate the user using the primary database or server 
(due to network failure, server failure, missing or incorrect username/ 
password), the secondary database or server (discussed below) will be 
checked. If the user is authenticated at any point, the search process will stop 
and the login will be permitted. 

If the user cannot be authenticated using the secondary database or server, the 
database or server with the next precedence level will be checked. If all 
precedence levels fail to authenticate the user, the user is prevented from 
logging in. 

Secondary 

Sets the secondary database or server to be checked. A specific address may be 
set with the address parameter, or the None parameter may be used to indicate 
that the server will not be used. 
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address 

A text host name (if a DNS is available for name resolution) or an IP address 
in standard numeric format (for example, 192.23.71.49). 

None 

Clears the current server address. 
Precedence 

Sets the precedence in which this database or server is checked. The 
precedence number must be specified using the prec_num parameter. 

prec_num 

A precedence number between 1 and 6. 
Principle 

A label that identifies the authentication service that the unit requests from the 
Kerberos server. Must be used in conjunction with the string parameter. 

Instance 

A label that is used to distinguish among variations of the principle. Must be 
used in conuunction with the string parameter. 

string 

A string of up to 40 alphanumeric characters. 
Authenticator 

Specifies the password for the principle/instance pair. Must be used in 
conjunction with the password parameter. 

password 

A case-sensitive password of up to 40 alphanumeric or 8 hexadecimal 
characters. To preserve case, alphanumeric passwords must be enclosed in 
quotes. 

Encryption 

Specifies that either the Andrew File System (AFS) or MIT Encryption 
algorithm will be used to create the Kerberos keys. The unit encryption method 
should match the Kerberos server encryption method. 

MIT 

Enables use of the MIT encryption algorithm. 
AFS 

Enables use of the Andrew File System encryption algorithm. 
Port 

Specifies the UDP/IP Port number used to communicate with the Kerberos 
server. The number applies to both the primary and secondary servers. Must be 
used in conuunction with the PortNum parameter. 

PortNum 

An integer between 1 and 65535. 
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Timeout 

Specifies the timeout period for a response from the Kerberos server. Must be 
used in conjunction with the seconds parameter. 

seconds 

An integer between 1 and 255, inclusive. 
Maxtries 

Specifies the maximum number of times that the unit will attempt to contact 
the Kerberos server. 

tries 

An integer between 1 and 255, inclusive. 
Realm 

Sets the Kerberos realm that the unit resides in. Often set to a name that mirrors 
the Internet domain name system. Must be used in conjunction with the string 
parameter, discussed earlier. 

KVNO (Key Version Number) 

Ensure that the unit and the Kerberos server are using the correct authenticator 
for the defined principle/instance pair. The unit KVNO must match the 
Kerberos server's KVNO. Must be used in conjunction with the kvno_num 
parameter. 

kvno_num 

An integer between 1 and 255, inclusive. 

Defaults Principle: rcmd 

Instance: unit 
Encryption: MIT 
PortNum: 750 
Timeout: 3 seconds 
MaxTries: 5 

See Also Define Site Authentication, page -117; Kerberos, page 10-11 

1 1 .1 2.7 Set/Define Authentication Local 



oni ^AUTHENTICATION LOCAL PRECEDENCE num. 
DEFINE I 



Specifies that an unit database (saved in NVR or RAM) will be used for authentication. 
Restrictions Requires privileged user status. 
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Parameters 



Precedence 

Sets the precedence in which this database or server is checked. Must be used 
in conjunction with the prec_num parameter. 



prec_num 

A precedence number between 1 and 6, usually set to 1. 



Examples 
See Also 



Local» DEFINE AUTHENTICATION LOCAL PRECEDENCE 1 

Define Site Authentication, page -117; Set/Define Authentication Unique, 
page -147; Local (NVR) Database, page 10-9 



11.12.8 Set/Define Authentication RADIUS 



SET 
DEFINE 



AUTHENTICATION RADIUS 



PRIMARY 



address 
NONE 



SECONDARY 



address 
NONE 
PRECEDENCE precjxum 
MAXTRIES tries 
PORT PortNum 
TIMEOUT num. 
SECRET string 



ENABLED 
DISABLED 



ACCOUNTING 



PRIMARY 



address 
NONE 



SECONDARY 



address 



NONE 
PORT PortNum 



Specifies that a RADIUS server will be used for authentication and/or accounting. 
Restrictions Requires privileged user status. 
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Parameters Primary 

Specifies the first server to be checked. A specific address must be set with the 

address parameter, or the None parameter may be used to indicate that the 
database or file will not be used. 

If the unit fails to authenticate the user using the primary database or server 
(due to network failure, server failure, missing or incorrect username/ 
password), the secondary database will be checked. If the user is authenticated 
at any point, the search process stops and the login is permitted. 

If the user cannot be authenticated using the secondary server, the dataserver 
with the next precedence level will be checked. If all precedence levels fail to 
authenticate the user, the user is prevented from logging in. 

Secondary 

Sets the secondary server to be checked. A specific address may be set with the 
address parameter, or the None parameter may be used to indicate tha the 
server will not be used. 

address 

A text host name (if DNS is available for name resolution) or an IP address in 
standard numeric format (for example, 193.23.71.49). 

None 

Clears the current server address. 
Precedence 

Sets the precedence in which this database or server is checked. The 
precedence number must be specified using the prec_num parameter. 

prec_num 

A precedence number between 1 and 6. 
Maxtries 

Specifies the maximum number of times that the unit will attempt to contact 
the RADIUS server. Maxtries must be used in conunction with the tries 
parameter. 

tries 

An integer between 1 and 255, inclusive. 
Port 

Specifies that authentication or accounting information should be sent to a 
specific port on the server, specified with the PortNum parameter. 

PortNum 

A port number between 0 and 65535, inclusive. 
Timeout 

Specifies the timeout period for a response from the RADIUS server. Must be 
used in conjunction with the num parameter. 

num 

An integer between 1 and 255, inclusive. 
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Note: For accounting, the unit has to hold onto packets until they can be verified. If the 
Maxtries and Timeout values are too large, you can overflow the unit and it will 
begin to drop accounting packets. This can be avoided by setting retries and 
timeouts to lower values. 

Secret 

Specifies the Secret to be Shared between the RADIUS client and server. Must 
be used in conjunction with the string parameter. 

string 

A string of up to 64 characters. This string must be identifical to that used by 
the RADIUS server for the unit. 

Accounting 

Specifies that RADIUS accounting information will be sent to a RADIUS 
accounting server. Accounting can be enabled even if the unit does not use a 
RADIUS server for authentication. 

Primary 

Specifies the primary accounting server to which accounting information will 
be sent. If the primary server cannot be reached, the secondary server will be 
tried. 

Secondary 

Specifies the secondary accounting server to which accounting information 
will be sent when the primary server cannot be reached. 

PortNum 

A port number between 0 and 65535, inclusive. 

Defaults Authentication port: 1645 

Maxtries: 3 
Timeout: 1 (second) 
Accounting port: 1646 

Examples Locai» define authentication radius primary 192. 0.1.55: 1234 

Local» DEFINE AUTHENTICATION RADIUS TIMEOUT 10 MAXTRIES 4 
Local» DEFINE AUTHENTICATION RADIUS ACCOUNTING ENABLED 

See Also Clear/Purge Authentication, page -135; Define Site Authentication, page -117; 

Show/Monitor/List Authentication, page -159; RADIUS, page 10-12 
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11.12.9 Set/Define Authentication SecurlD 



SET 
DEFINE 



AUTHENTICATION SECURID 



PRIMARY 



address 
NONE 



SECONDARY 



address 
NONE 
PRECEDENCE prec_num 



ENCRYPTION 



SID 
DES 

MAXTRIES tries 
PORT PortNum 
TIMEOUT num. 



Specifies that a Security Dynamics ACE/SecurlD server will be used for authentication. 
Restrictions Requires privileged user status. 

Parameters Primary 

Specifies the first database or server to be checked. A specific address may be 
set with the address parameter, or the None parameter may be used to indicate 
that the database or file will not be used. 

Secondary 

If the unit fails to authenticate the user using the primary database or server 
(due to network failure, servere failure, missing or incorrect username/ 
password), the secondary database or server will be checked. A specific 
address may be set with the address paraemter, or the None parameter may be 
used to indicate that the server will not be used. 

If the user cannot be authenticated using the secondary database or server, the 
database or server with the next precedence level will be checked. If all 
precedence levels fail to authenticate the user, the user is prevented from 
logging in. 

address 

A text host name (if a DNS is available for name resolution) or an IP address 
in standard numeric format (for example, 192.23.71.49). 

None 

Clears the current server address. 
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Precedence 

Sets the precedence in which this database or server is checked. The 
precedence number must be specified using the prec_num parameter. 

prec_num 

A precedence number between land 6. 
Encryption 

SecurlD (SID) or DES encryption will be used for authentication. 
SID 

Enables use of SecurlD encryption. 
DES 

Enables use of DES encryption. 
Maxtries 

Specifies the maximum number of times the unit will attempt to contact the 
SecurlD server. Must be used in conjunction with the tries parameter. 

tries 

An integer between 1 and 255, inclusive. 
Port 

Specifies the UDP/IP port number used to communicate with the primary and 
secondary SecurlD servers. Must be used in conjunction with the PortNum 
parameter. 

PortNum 

An integer between 1 and 65535. 
Timeout 

Specifies the timeout period for a response from the SecurlD server. Must be 
used in conjunction with the seconds parameter. 

seconds 

An integer between 1 and 255, inclusive. 

Defaults Encryption: DES 

Maxtries: 5 
UDP/IP port: 755 
Timeout: 3 seconds 

Examples Locai» define authentication securid primary 192.0.1.55 

Local» DEFINE AUTHENTICATION SECURID TIMEOUT 10 MAXTRIES 4 
Local» DEFINE AUTHENTICATION SECURID ACCOUNTING ENABLED 

See Also Define Site Authentication, page -117; SecurlD, page 10-16 
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11.12.10 Set/Define Authentication TFTP 



SET 
DEFINE 



AUTHENTICATION TFTP 



PRIMARY 



address 
NONE 



SECONDARY 



address 



NONE 
PRECEDENCE prec_num 
filename 



Specifies that a UNIX password file will be used for authentication. This file will be read via the TFTP 
protocol. 

Note: A TFTP -readable password file may reduce network security. 
Restrictions Requires privileged user status. 

Parameters Primary 

Specifies the first database or server to be checked. A specific address may be 
set with the address parameter, or the None parameter may be used to indicate 
that the database or file will not be used. 

Secondary 

If the unit fails to authenticate the user using the primary database or server 
(due to network failure, server failure, missing or incorrect username/ 
password), the secondary database or server will be checked. A specific 
address may be set with the address parameter, or the None parameter may be 
used to indicate that the server will not be used. 

If the user cannot be authenticated using the secondary database or server, the 
database or server with the next precedence level will be checked. If all 
precedence levels fail to authenticate the user, the user is prevented from 
logging in. 

address 

A text host name (if a DNS is available for name resolution) or an IP address 
in standard numeric format (for example, 192.23.71.49). 

None 

Clears the current server address. 
Precedence 

Sets the precedence in which this database or server is checked. The 
precedence number must be specified using the prec_num parameter. 
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prec_num 

A precedence number between 1 and 6. 
filename 

Specify a TFTP password file name of up to 32 characters. If spaces or 
lowercase characters are used, the filename must be enclosed in quotes. 

Examples Local» SET AUTHENTICATION TFTP FILENAME radicchio 

See Also Define Site Authentication, page -117; UNIX Password File, page 10-17 



11.12.11 Set/Define Authentication Unique 



SET [authentication unique] enabled 

DEFINE J [ DISABLED 



When enabled, the authentication code prevents multiple incoming authenticated logins by the same user. 
It does not prevent the user from making additional non-authenticated connections. 

Restrictions Requires privileged user status. 

See Also Restricting Multiple Authenticated Logins, page 10-19 

11.12.12 Set/Define Authentication User 





password 






command 




\ SET [AUTHENTICATION USER username< 


EXPIRED 


■ 


[ DEFINE J 








alter! enabled I 






{ DISABLED J 





Configures entries to the local database. To indicate which username entry will be modified, a username 
must be specified using the username parameter. 

Restrictions Requires privileged user status. 

Parameters username 

A username of up to 16 characters. The name is converted to all uppercase 
unless it is enclosed in quotes. 
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password 

A password of up to 16 characters that the user must enter. The password is 
converted to all uppercase unless it is enclosed in quotes. 

Note: Users who don't have passwords configured for them will always be granted 
access. 

command 

A command or series of commands that will be executed after login. 
Commands must be enclosed in quotes and separated by semicolons. The 
combined length of a series of command cannot exceed 100 characters. 

Expired 

Forces a user to select a new password upon next login. 
Alter 

Enables or disables a user's ability to change his password. The password can 
be changed with the Set/Define Password command. 

Examples Local» SET AUTHENTICATION USER "fred" COMMAND "TELNET athena; LOGOUT" 

See Also Define Site Authentication, page -1 17; Set/Define Password, page -158; Local 

(NVR) Database, page 10-9 

11.12.13 Set/Define Dialback 



SET 
DEFINE 



DIALBACK 



username 



BYPASS 



phonenum 
BYPASS 



ENABLED 
DISABLED 



The Dialback feature enables a system manager to set up a dialback list of authorized users for incoming 
modem connections. Dialback lists include usernames and corresponding phone numbers. When a 
username entered matches one in the list, the port is logged out and the unit sends the corresponding phone 
number to the serial port, at which time the port' s modem profile initiates the modem connection. 

Restrictions Requires privileged user status. 

Parameters username 

A text name, up to 16 characters long. If white space or lowercase characters 
are used, the username must be enclosed in quotes. 

phonenum 

A telephone number. 
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Note: The ATDT command should not be entered in the telephone number string. The 
modem profile will prepend any necessary command prefixes. 

Bypass 

When the Bypass parameter is associated with a username, the port will not be 
logged out, and the user will not be dialed back, when attempting to connect to 
the unit. The word "bypass" must be associated with the username in the 
dialback database in order for dialback to be bypassed. 

When Bypass is used with the Enabled parameter (that is, not associated with 
a username), users not in the dialback database are immediately given the 
Local> prompt. When disabled, users not in the database are denied access. 

Examples Local» SET DIALBACK "susan" 867-530 9 

See Also Define Ports Dialback, page -48; Dialback, page 8-11; Dialback, page 10-5 

11.12.14 Set/Define Filter 









CREATE 














DELETE ruleNum 






I SET I FILXE r filtemame< 
[ DEFINE J 


< 


ADD 
AFTER 
CONTINUE 
BEFORE 
REPLACE 


• [„4 allow \ 

u J [ DENY J 


ANY 

GENERIC {options} 
IP {options} 







Creates or deletes a packet filter, or configures a rule in that filter that is used to manage network traffic. 
These packet filters are applied to packets arriving from or going to remote dialup sites. 

Each rule consists of a name, a position, an action (allow or deny) and a protocol segment. To configure 
protocol options, refer to the appropriate command on the following pages. Due to space considerations, the 
command syntax from the Add braces to the Allow/Deny braces in the above diagram is represented by an 
ellipse (...) in the remaining Set/Define Filter commands. 

Restrictions Requires privileged user status. 

Parameters filtername 

The name of the filter in which the new rule will be included, up to 12 letters 
in length. 

Create 

Creates a new filter with the specified filtername. Filters must be created 
before their rules can be added, deleted, or otherwise modified. 
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Delete 

Removes the specified rule from the named filter. 
ruleNum 

The number of the rule to be deleted. 
Add 

Adds a rule after another rule. If no position is specified, the rule is added to 
the end of the list of rules. 

After 

Inserts a rule after another rule. If no position is specified, the rule is added to 
the end of the list of rules. 

Before 

Inserts a rule before another rule. If no position is specified, the rule is added 
to the beginning of the list of rules. 

Replace 

Replaces an existing rule with a new one. If no position is specified, the first 
rule in the list is replaced. 

pos 

A location in the filter list to perform a specific function, such as Add. 
Allow 

Allows passage of data packets that meet the defined filter criteria. The criteria 
consists of all specified parameters after Allow. 

Deny 

Denies passage of data packets that meet the defined filter criteria. The criteria 
consists of all specified parameters after Deny. 

Examples Locai» define filter abc create 

Local» DEFINE FILTER abc DELETE 2 
(Removes the second rule in filter list abc.) 

In-depth protocol-related examples are given with the subcommands 
listed on the following pages. 

See Also Define Site Filter, page -123; Clear/Purge IP Security, page -16; Define Ports 

Dialback, page -48; Packet Filters and Firewalls, page 10-22. 

11.12.15 Set/Define Filter Any 



SET 
DEFINE 



FILTER filtername ... ANY 
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Specifies that every packet will be allowed or denied passage through the unit. Using the Any parameter 
along with either Allow or Deny will affect all packets regardless of any filter specifications that follow. 
Usually, an Any rule is placed at the end of a filter list to process data packets not specifically identified by 
the previous rules in the list. 



Restrictions 
See Also 



Requires privileged user status. 

Define Site Filter, page -123; Clear/Purge IP Security, page -16; Define Ports 
Dialback, page -48; Packet Filters and Firewalls, page 10-22 



11.12.16 Set/Define Filter Generic 



SET 
DEFINE J 



\ FILTER filtername ... GENERIC 



OFFSET offset MASK mask 



EQ 




GE 




GT 


■value 


LE 




LT 




NE 





Specifies a general filter rule that applies to any packet regardless of protocol. A Generic rule starts at a 
location offset bytes from the beginning of the packet, applies the specified mask, and then compares the 
result with a specified value. Multiple generic offset segments can be included in a single rule, subject to 
the maximum command line length of 132 characters (see the example below). 

Restrictions Requires privileged user status. 

Parameters offset 

Defines where in the data packet the unit is to apply the mask. May be a 
decimal value from 0 to 1500, where 0 indicates the first data position in the 
packet. 

mask 

A hexadecimal or decimal number, 
operator 

(EQ, GE, GT, LE, LT, NE) 

The available operators are: equal to (EQ), greather than or equal to (GE), 
greather than (GT), less than or equal to (LE), less than (LT), and not equal to 
(NE). 

value 

A hexadecimal or decimal number. 
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Examples 



See Also 



Local» DEFINE FILTER abc ADD DENY GENERIC OFFSET 0 MASK OxffOOOOOO 
GT 0x25000000 OFFSET 8 MASK Oxffffffff EQ 0x12345678 
(Adds a rule containing two generic segments to filter abc.) 

Define Site Filter, page -123; Clear/Purge IP Security, page -16; Define Ports 
Dialback, page -48; Packet Filters and Firewalls, page 10-22 



11.12.17 Set/Define Filter IP 



SET 



DEFINE J 



\ FILTER filtername ... IP 



TCP 



UDP 



EQ 
GE 
GT 
LE 
LT 
NE 



IPGENERIC OFFSET offset MASK mask 



DST ipMask address 
SRC ipMask address 

protocolNum 
ICMP 



EQ 
GE 

DPORT II GT II portNum 
SPORT J ] LE 1 portKeyword 
LT 
NE 



ACK 



DPORT 
SPORT 



EQ 
GE 
GT 
LE 
LT 
NE 



portNum 
portKeyword 



TOS mask value 



value 



Creates a rule which will be applies only to IP protocol packets. 
Restrictions Requires privileged user status. 
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Parameters DST 

Allows or denies passage of data packets destined for a specific node on the 

local area network. Must be used in conjunction with the ipMask and address 
parameters. 

SRC 

Allows or denies passage of data packets that originated from a specific node 
on the local area network. Must be used in conjunction with the ipMask and 
address parameters 

ipmask 

An IP address in standard numeric format (for example, 193.0.1.255). 
address 

An IP address in standard numeric format (for example, 193.0.1.50). 
TOS 

Builds a rule using the IP Type of Service field. Must be used in conjunction 
with the mask and value parameters. For TOS, the operator EQ is implied. 

IPGeneric 

Specifies a general IP rule using one set of offset, mask, operator, and value. 
Multiple IPGeneric segments can be included in a single rule (in one 
command), subject to the maximum command line length of 132 characters. 

offset 

Defines where in the data packet to apply the mask. May be a decimal value 
from 0 to 1500, where 0 indicates the first data position in the data packet. 

mask 

A hexadecimal or decimal number. The mask is applied to the data using the 
operator and the result is compared with the value. In the case of TOS, the 
operator EQ is implied. 

operator 

(EQ, GE, GT, LE, LT, NE) 

The available operators are: equal to (EQ), greather than or equal to (GE), 
greather than (GT), less than or equal to (LE), less than (LT), and not equal to 
(NE). 

value 

A hexadecimal or decimal number. 
protocolNum 

Allows or denies packets of the protocol specified by an IP protocol identifier 
number between 0 and 65535. 

ICMP 

Allows or denies Internet Control Message Protocol packets. 
TCP 

Allows or denies TCP-based packets which match criteria specified by the 
subsequent parameters. Applications that use TCP include Telnet, FTP, and 
SMTP (Simple Mail Transfer Protocol). 
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UDP 

Allows or denies User Datagram Protocol (UDP) based packets which match 
criteria specified by subsequent parameters. Applications that use UDP 
include DNS (Domain Name Service), TFTP (a variant of FTP), and BOOTP 
(used by some computer systems to acquire IP addresses). 

DPort 

Defines the destination protocol port. Data packets are filtered based on both 
the protocol and on the protocol port of the data packet. 

SPort 

Defines the source protocol port. Data packets are filtered based on both the 
protocol and the protocol port of the data packet. 

portNum 

A TCP or UDP port number. 
portKeyword 

A keyword corresponding to the TCP or UDP port number. Available 
keywords are BOOTP, DNS, FINGER, FTP, FTPDATA, HTTP, NNTP, NTP, 
POP2, POP3, RIP, SMTP, SNMP, SYSLOG, TELNET, and TFTP. 

ACK 

Allows or denies TCP-based packets in which the ACK (acknowledge) bit is 
set. 

Local» DEFINE FILTER abc ADD DENY IP 
(Adds a rule for all IP traffic to filter abc.) 

Local» DEFINE FILTER abc ADD ALLOW IP IPGENERIC OFFSET 0 MASK 
OxffOOOOOO LT 0x34000000 TCP DPORT EQ TELNET 

(Adds a rule containing an IP generic segment and DPORT to filter abc.) 

Local» DEFINE FILTER abc ADD ALLOW IP SRC 255.255.255.0 192.34.87.0 
TCP DSOCK EQ NCP 

(Adds a rule containing IP SPORT and SRC to filter abc.) 

Define Site Filter, page -123; Clear/Purge IP Security, page -16; Define Ports 
Dialback, page -48; Packet Filters and Firewalls, page 10-22 
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11.12.18 Set/Define Logging 



SET 
DEFINE 



LOGGING 



DESTINATION 



location 
NONE 



AUTHENTICATION 
DIALBACK 
IP 

MODEM 
PPP 
SITE 



COMMANDS 
NETWORK 
PRINTER 
SYSTEM 



num 
NONE 



ENABLED 
DISABLED 



Controls error and event logging on the unit. Events can be logged to a network host via TCP/IP or to a 
terminal connected to the unit. 

The host must be configured to support logging. For a TCP/IP host, the host's syslog facility must be 
configured; make sure all priorities equal to or higher than *. notice are being logged. The syslog file is 
typically located in the /etc directory; see your host's documentation or syslogd for more information. 

Note: Logging levels are cumulative; setting logging to level 4 includes levels 1 

through 3 as well. See Chapter 10, Security, for a detailed description of the 
events that can be logged. 

Restrictions Requires privileged user status. 

Parameters Destination 

Specifies a destination for the logging messages. Must be used in conjunction 
with the address parameter or the None parameter. 

location 

A fileserver name or IP address. This parameter may be specified as one of the 
following: 



String/Form 


Action 


hostname: 


Specifies a TCP/IP host 


CONSOLE 


Sends events to the unit console port 


Memory 


Saves events in unit memory 


None 



Disables logging. 
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Authentication 

Logs events associated with authentication. Must be used with the num 
parameter or the None parameter. 



Level Information 



1 System Problems 

2 Failures and Successes 

3 All Logins and Logouts 

4 Incorrect Passwords 

5 All Passwords, RADIUS Warnings 



Dialback 

Logs events associated with dialback functionality. Must be used with the num 
parameter or the None parameter. 



Level Information 

1 Dialback Problems 

2 Unauthorized Users 

3 Dialback Failures 

4 Dialback Successes 

5 Dialback Attempts 

6 Modem Chat 

IP 

Traces the activities of the IP router. Must be used with the num parameter or 
the None parameter. 



Level Information 

1 Errors 

2 Packets triggering remote connections 

3 Routing table/interface changes 

4 Incoming/outgoing RIP packets 

5 Resulting routing table (verbose) 

6 Contents of all RIP packets (verbose) 

7 Routed packets (verbose) 

Note: Setting the IP logging level to 2 or greater results in a syslog that prints the 
source/destination IP address, protocol, and TCP/UDP source/destination 
ports. 
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Modem 

Logs modem activity, including modem jobs (incoming and outgoing). Must 
be used with the num parameter or the None parameter. 



Level 


Information 


l 


Problems 


2 


Call Statistics Dump From Modem 


3 


Setup 


PPP 



Logs events associated with PPP. Must be used with the num parameter or the 
None parameter. 



Level 


Information 


l 


Local System Problems 


2 


Remote System Problems 


3 


Negotiation Failures 


4 


Negotiation Data 


5 


State Transitions 


6 


Full Debugging 



Site 

Logs events associated with sites. Must be used with the num parameter or the 
None parameter. 



Level 


Information 


l 


Errors 


2 


State Transitions 


3 


Chat Scripts 


4 


Modem Dialing 


5 


Port Connections 


6 


Connection Failures 


7 


Usage Summary 



num 

An integer that specifies a particular level of logging. 
Commands 

When enabled, logs all commands users type. 
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Defaults 

Examples 
See Also 



Network 

When enabled, logs network events. This is useful for diagnosing network- 
related problems. 

Printer 

When enabled, logs printer related events including online/offline conditions 
and job status at the end of job. 

System 

When enabled, logs server boots, log file open/closes, and other system related 
activity. 

Destination: None 

Logging Options: None/Disabled (logging turned off) 

Local» SET LOGGING AUTHENTICATION 5 

Show/Monitor/List Logging, page -160; Event Logging, page 10-24 



11.12.19 Set/Define Password 



SET 
DEFINE 



PASSWORD 



Changes the current user's password in the local authentication database, provided the user is defined in the 
database and has permission to alter the password. When this command is entered, the user will be prompted 
for the old password, then prompted to enter and verify a new password. 

Note: The user has three chances to enter the old password before he or she is logged 
out of the unit. 



Restrictions 



See Also 



Does not require privileged user status. To prevent users from altering their 
own passwords, enter the Set/Define Authentication User Alter Disabled 

command. 

Set/Define Authentication User, page -147; Clear/Purge Authentication, page 
-135; Show/Monitor/List Authentication, page -159 



11.12.20 Set/Define SNMP 





BOTH 




I SET I SNMp COMMUNITY community ACCESS < 


NONE 




[ DEFINE J 






READ 





Configures a community name and access mode for SNMP access. Each name has an access restriction 
associated with it; if an SNMP command comes in with an unknown name or an unauthorized command, 
an SNMP error reply will be sent. Community names are not case-sensitive. 
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Restrictions 
Parameters 



Examples 
See Also 



You must be the privileged user to use this command, 
community 

A text name, up to 16 characters long. 
Access 

Specifies the type of SNMP access. Must be used in conjunction with one of 
the following parameters: Both, None, or Readonly. 

Both 

Both read and write requests will be permitted. 
None 

No SNMP requests are permitted. 
Read 

Read-only access will be permitted. 

Local» SET SNMP COMMUNITY S UNMAN ACCESS BOTH 

Clear/Purge SNMP, page -136; Appendix B, SNMP Support 



1 1 .1 2.21 Show/Monitor/List Authentication 



SHOW 
MONITOR 
LIST 



AUTHENTICATION 



USERS \username\ 



Displays the local authentication database. 

Restrictions Requires privileged user status. 



Parameters 

Examples 
See Also 



username 

Displays authentication information for the specified user. 

Local» SHOW AUTHENTICATION USER "bob" 

Set/Define Authentication, page -137; Local (NVR) Database, page 10-9 



1 1 .1 2.22 Show/Monitor/List Dialback 



SHOW 
MONITOR 
LIST 



DIALBACK 



Displays the currently configured dialback strings, as well as the number of connect attempts with that string 
the number of connect failures. 
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Restrictions 
See Also 



Requires privileged user status. 

Clear/Purge Dialback, page -135; Define Ports Dialback, page -48; Set/Define 
Dialback, page -148; Dialback, page 7-12; Dialback from Local Mode, page 
10-6 



1 1 .1 2.23 Show/Monitor/List Filter 





SHOW 


• FILTER [fHtername\ 




MONITOR 




LIST 





Displays the currently configured packet filters.An individual filter may be specified using the optional 
filtername parameter. 



Restrictions 
See Also 



Requires privileged user status. 

Set/Define Filter, page -149; Clear/Purge Filter, page -136; Filter Lists, page 
4-1 



1 1 .1 2.24 Show/Monitor/List Logging 



SHOW 
MONITOR 
LIST 



LOGGING [MEMORY] 



Displays the current or saved event logging configuration. 

Restrictions You must be the privileged user to use the Monitor command. 

Secure users may not use this command. 

Parameters Memory 

Displays the memory log. 



See Also 



Set/Define Logging, page -155; Event Logging, page 10-24 
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1 1 .1 2.25 Show/Monitor/List SNMP 





SHOW 




■ 


MONITOR 


• SNMP 




LIST 











Displays the current or saved SNMP security table entries. 
Restrictions Requires privileged user status. 

See Also Clear/Purge SNMP, page -136; Appendix B, SNMP Support 



11-161 



Security Commands 



11-162 



A: Contact Information 



If you are experiencing an error that is not listed in Appendix B of your Installation Guide, or if you are 
unable to fix the error, contact your dealer or SMC Technical Support at 800-SMC-4YOU. Technical 
Support is also available via Internet email at techsupport@smc.com. 

A.1 Problem Report Procedure 

When you report a problem, please provide the following information: 

♦ Your name, and your company name, address, and phone number 

♦ SMC unit model number 

♦ SMC unit serial number 

♦ Software version (use the Show Server command to display) 

♦ Network configuration, including the information from a Netstat command 

♦ Description of the problem 

♦ Debug report (stack dump), if applicable 

♦ Status of the unit when the problem occurred (please try to include information on user and network 
activity at the time of the problem) 
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B: Environment Strings 



B.1 Usage 

An environment string is a sequence of key letters, sometimes prefixed by a plus (+) or minus (-). 
Environment strings can be used with certain commands to configure connections. The keys are added after 
the hostname (if one is given) and a colon. 

Key letters are not case-sensitive, and no white space is allowed in the environment string. In addition, 
commands that oppose previously-configured settings will overwrite the previous setting, even if they 
appear on the same command line. 

B.1.1 Multiple Strings 

More than one string can be entered as part of a single command. Multiple strings do not need to be 
separated from each other. For example, you can enter a command that specifies both the desired port 
number and that the connection should in Passall mode. 

Figure A-1 : Entering Multiple Strings 

Local» DEFINE PORTS DEDICATED TELNET 192 . 0 . 1 . 3 : 2001+P 



B.2 Available Strings 

Note: In most applications, environment strings are not necessary. 

Environment keys must be separated from the hostname, if one is specified, by a colon. Read the following 
sections carefully for more details on proper usage of each key. 

Table A-1 : Environment Strings 



nnnn 


socket number (TCP and UDP only) 


C 


+C = CR to CRLF, 


-C = CR to LF 


D 


+D = Backspace mode 


-D = Delete mode 


E 


+E = Local Echo mode 


-E = Remote Echo mode 


P 


+P = Passall mode 


-P = Passthru mode 


R 


Rlogin protocol (sets port number to 513 if not already set) 


T 


TCP mode (raw uninterpreted data stream) 



B.2.1 Usage Examples 

These examples should illustrate the proper usage of the above environment strings. 
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Available Strings 



Environment Strings 



B.2.1.1 nnnn 

Sets a socket number. For TCP and UDP connections only. The most common socket numbers are 7000 
(the remote console port), 200x (for Telnet IAC interpretation), and 300x (for raw TCP/IP), where x is the 
number of the desired serial port. 

Examples % telnet 192 .0.1.88:7000 

(connects to the remote console port of the specified host) 

% telnet 192.0.1.66:3001 

(forms a raw TCP/IP connection to the unit's serial console port) 

Local> TELNET 192.0.1.45:2003 

(forms a connection with Telnet IAC interpretation to the unit's third serial port) 
See Also Your Installation Guide for more information on socket connections 

B.2.1.2 +C and -C 

+C specifies CR to CRLF. -C specifies CR to LF. 

Examples Local» define ports preferred telnet 192.0.1. 3 :+C 

B.2.1.3 +D and -D 

+D sets Backspace mode. -D sets Delete mode. 

Examples % telnet 192.0.1.5:-D 

B.2.1.4 +Eand-E 

+E sets Local Echo mode. -E sets Remote Echo mode. 
Examples % telnet 192 . 0 . 1 . 4 8 : +E 

B.2.1.5 +Pand-P 

+P specifies Passall method. -P specifies Passthru mode. Both Passall and Passthru will prevent the proper 
handling of the Forward and Backward keys. 

Examples Locai» define dedicated telnet 192 . 0 . 1 .221 :+p 

B.2.1.6 R 

Specifies that the connection use the Rlogin protocol. Sets the port number to 513 if not already set. 

Examples Locai» define ports dedicated tcp 192. 0.1. 8 :R 

B.2.1.7 T 

Forms a raw Telnet connection. If no environment string is specified, a Telnet connection is assumed. 

Examples Local> DEFINE PORTS DEDICATED TCP chimaera : 2001T 
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C: SNMP Support 



SNMP is an abbreviation for Single Network Management Protocol. SNMP commands enable users 
(usually system administrators) to get information from and control other nodes on a local area network. 

Information about SNMP can be obtained in RFCs (Request For Comments) which can be obtained via 
anonymous FTP from nisc.jvnc.net. To obtain a specific RFC, use the pathname pub/RFC/ rfcnnn, where 
nnn is the name of the desired RFC. To obtain the RFC index, use the pathname pub/RFC/rfc-index.txt. 

The extent to which other nodes may be controlled and/or queried for information is documented in 
Management Information Bases (MIBs). The MIBs and SNMP in general are documented in RFCs 1066, 
1067, 1098,1317, 1318, and 1213. 



Table B-1: Supported MIBs 


MIB 


Description 


MIB-II (RFC 1213): 


System, Interface, Address Translation, IP, ICMP, TCP, and 
UDP. They do not support the EGP group. 


RS-232MIB (RFC 1317): 


All objects (RS-232-style objects). 


Character MIB (RFC 1318): 


All objects (character-oriented devices). 



C.1 SNMP Support 

♦ The unit will respond to queries for unknown MIBs with a "not in MIB" error to the requesting host. 

♦ The unit has a local SNMP security table to restrict or prevent unauthorized SNMP configuration. 

♦ The unit will also generate limited forms of 3 of the SNMP traps. Traps are sent to a host when an 
abnormal event occurs on the unit. 

Currently, the unit will generate a Coldstart trap when it first boots, and will send a Linkup trap when the 
startupfile (if any) has been read from a host and normal operation commences. If a startupfile has been 
configured but the download fails, the unit will send an Authentication trap. In all 3 cases, the trap will be 
directed to the IP address of the loadhost for the unit. If a loadhost has not been specified (Flash ROM based 
units, for example), the traps will not be sent. The unit will not generate traps other than the cases listed here. 

C.2 SNMP Security 

Because SNMP can be used to change security settings, the unit provides a security mechanism for 
restricting SNMP access to the unit. The security mechanism is linked to the SNMP community name. By 
default, the only allowed community name is Public, which is given only Read privilege. 
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To change, add, or delete community names in the table, Set/Define SNMP and Clear/Purge SNMP are 
used. Set SNMP requires specification of a community name and an access type. Available access types are 
Readonly, Both (allows read and write), or None. Clear SNMP requires either a community name to remove 
a single entry or the All parameter to clear the entire table. Show/Monitor/List SNMP commands require 
privileged access to prevent unauthorized users from seeing the allowed community names. 

The unit sends an error message when it receives SNMP queries or Set requests that are not permitted for 
the current user. 
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D: Supported RADIUS Attributes 



This appendix lists and explains the RADIUS attributes currently supported by the unit. The unit transmits 
these attributes whenever they are appropriate for the given connection. 

Users cannot directly specify which attributes the unit will transmit — this is negotiated for each connection 
based on the connection type and requirements. For example, CHAP-Challenge packets are only needed for 
PPP connections that authenticate via CHAP. 



D.1 Authentication Attributes 

D.1 .1 Access-Request 

For Access-Request packets, the unit can transmit the following attributes. 
User-Name 



User-Password 
CHAP-Password 
CHAP-Challenge 
NAS-Identifier 

NAS-Port 
NAS-Port-Type 
Service-Type 
Framed-Protocol 



Either a User- Password or CHAP-Password will be sent. 



The NAS-Identifier is the unit's name string configured with the Set/ 
Define Server Name command. 



The Service-Type will be either Login or Framed (PPP/SLIP). 

When the Service-Type is Framed or Callback-Framed, this value 
denotes which of the framed protocols (PPP or SLIP) is being used for the 
connection. 



When Caller-ID is enabled on the port and a phone number is found in the 
modem's response string, the unit will report this value. 



Calling-Station-ID 

Note: For more information about Caller-ID, see the Caller-ID section on page 8-11. 



D.1 .2 Access-Accept 



The unit interprets reply attributes based on the Service-Type received in the Access-Accept. Supported 
service types include: 



Login 



The user is connected to a specific host. 
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Framed 



A PPP or SLIP connection is started. 



Callback-Login The user is disconnected and called back, then connected to a host. 

Callback-Framed The user is disconnected and called back, then begins a PPP or SLIP mode 

connection. 

Prompt The user is provided with a command line prompt on the unit from which 

it is possible to enter privileged commands. 

Table C-l shows the additional attributes that can be used in Access- Accept packets sent by the RADIUS 
server. Items marked with plus signs (+) are only valid when the Service-Type is Login or Callback-Login. 
Items marked with asterisks (*) are only valid when the Service-Type is Framed or Callback-Framed. 



Table C-1 : Access-Accept Attributes 



Attribute 


Supported Values (if any) 


Framed-Protocol* 


ppp 

SLIP 


Framed-IP- Address* 


See , page -3 


Framed-Routing* 


Send 
Listen 

Send & Listen 
None 


Filter-ID* 


See , page -3 


Framed-MTU* 




Framed-Compression* 


None 

Van-Jacobson TCP/IP Header Compression 
IPX Header Compression 


Login-IP-Host+ 


See , page -3 


Login-Service+ 


Telnet 
Rlogin 

TCP-Clear (raw TCP connection) 


Login-TCP-Port+ 




Reply-Message 




Framed-IPX-Network* 




Session-Timeout 




Idle-Timeout 




Framed- Apple Talk-Link* 




Framed- AppleTalk-Net- 

work* 





Note: To use both Van-Jacbson TCP/IP header compression and IPX header 

compression, send the Framed-Compression value twice (once for each type). 
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D. 1.2.1 Framed-IP- Address 



Using this attribute is equivalent to setting the remote address range of a site to "undefined." Two values 
are available: 

♦ 255.255.255.255 (OxFFFFFFFF) allows the user to choose and IP address 

♦ 255.255.255.254 (OxFFFFFFFE) assigns the user an address from the unit IP address pool 

If an IP address pool is defined for the unit and the incoming user asks for an address, one will be assigned 
from the pool. If the user asks for a specific address, the user will be given the address, provided it is 
available. In the absence of an address pool, the user will be given any address that he requests. 

D.1.2.2 Filter-ID 

The unit renames filters by appending suffixes based on the filter type. For example, a filter named "dallas" 
configured on the unit will be renamed "dallas. in" (for an incoming filter), "dallas. out" (for an outgoing 
filter), "dallas. idl" (for an idle timeout filter), and "dallas. st" (for a startup filter). 

Note: The maximum filter name length is 12 characters, but should be limited to 8 
characters to account for the added suffix. 

To understand how the Filter-ID attribute works, imagine that user irvine is trying to make a PPP 
connection using RADIUS authentication. When the connection is initiated, the unit starts a copy of the 
default site. 

During the authentication phase, RADIUS looks in NVR for a site that has the same name as the user. If 
RADIUS finds a match, this site becomes the base site. If the unit does not find a match, RADIUS will use 
a copy of the default site as the base site. RADIUS uses the attributes passed from the RADIUS server 
during authentication to modify the base site. 

If the Filter-ID attribute is present and has the value "irvine," RADIUS examines NVR for a filter named 
irvine.in. If it finds the filter, it uses that filter as the incoming filter for the site. If it doesn't find the filter, 
the incoming filter from the base site, if any, is used. If no incoming filter is defined for the base site, no 
incoming filter is used. RADIUS then repeats the process for the other three filter types (outgoing, idle, and 
startup). As long as RADIUS finds at least one filter matching the Filter-ID value, the connection will 
succeed. 

However, if the Filter-ID attribute is present and no filters are found matching the Filter-ID value, the 
connection is refused. This prevents a potential security hole created when a user is allowed to connect 
without the intended restrictions being enforced. 

Note: Because startup filters only apply to outgoing sites, which RADIUS doesn't 
handle, there is no need to define a startup filter for a RADIUS user. 

D.1.2.3 Login-IP-Host 

If the Service-Type is Login or Callback-Login and the Login-Ip-Host value is not set or is set to 0.0.0.0, 
the preferred Telnet host will be used. If the Service-Type is Login or Callback- Login and this value is set 
to 255.255.255.255, the user will be prompted to enter the name of the host to use for the connection, 
including normal unit environment strings. If present, the Login-TCP-Port value will override the user- 
entered environment. 
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If Login-Service is Rlogin and the Login-IP-Host value is not set, the unit makes an Rlogin connection to 
the preferred Telnet host. 

D.2 Accounting Attributes 

For all Accounting packets, the unit transmits Acct-Status-Type (On, Off, Start, or Stop) and the unit's 
N AS -Identifier. For individual Accounting-Start and Accounting-Stop packets, the unit can also transmit 
the attributes listed in Table C-2. 

Note: Items marked with * are only sent when the Service-Type value is Framed or 
Callback-Framed. 

Table C-2: Accounting Packet Attributes 



Accounting-Start 


Accounting-Stop 


Acct-Session-ID 


Acct-Session-ID 


Acct-Delay-Time 


Acct-Delay-Time 


User-Name 


User-Name 


NAS-Identifier 


NAS-Identifier 


NAS-Port 


NAS-Port 


NAS-Port-Type 


Class 


Calling-Station-ID 


Acct-Input-Octets 


Class 


Acct-Output-Octets 


Service-Type 


Acct-Input-Packets* 


Framed-Protocol* 


Acct-Output-Packets * 


Framed-IP- Addres s * 


Acct-Session-Time 


Framed-Routing* 


Acct-Terminate-Cause (if known) 


Filter-ID* 




Framed-MTU* 




Framed-Compression* 




Idle-Timeout 




Session-Timeout 





D.3 Examples 

The following examples can be used as templates for the public domain Merit RADIUS server available via 
anonymous FTP at ftp.merit.edu. The examples will also work with the public domain Livingston 
RADIUS server available via anonymous FTP at ftp.livingston.com. 
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If you are using a different server, please note that the file format for the Merit and Livingston RADIUS 
servers are of following form: 



username check-iteml, check-item2, check-itemN 
reply-item 1, 
reply-item2, 

reply-itemN 



Check-items are attribute/value pairs that must be received from the authentication client (for example, the 
unit) for authentication to occur. Reply-items are attribute/value pairs that will be returned to the client upon 
authentication. Note that the Merit and Livingston Password attribute may be used to match either User- 
Password or CHAP-Password. 

Note: Please read your RADIUS server's documentation for more information about 
how to configure your RADIUS server. 

D.3.1 Configuring Basic Authenticated PPP 
Connections 

The following entry allows user april to gain access to a LAN via PPP using the IP address 192.0.1.58: 



april Password = "fools" 

Service -Type = Framed, 
Framed-Protocol = PPP, 
Framed-IP- Address = 192.0.1.58 



This user may be authenticated via PPP PAP, PPP CHAP, or via the local mode username and password 
prompts. If authenticated by the latter, the user will automatically be forced to execute the command Set 
PPP sitename; Logout where sitename is the name of the site dynamically created by the unit for this user. 

Note: All settings in the default site other than the IP address will apply for this user. 

Here is a more complicated example for a dialback PPP user who is not allowed to perform a local mode 
login: 



april Password = "fools", Service-Type = Framed, Framed-Protocol = PPP 
Service -Type = Callback-Framed, 
Framed-Protocol = PPP, 
Framed-IP- Address = 192.0.1.233, 
Callback-Number = "555 1234" 



D.3.2 Forcing a Telnet Connection to the Preferred 
Host 

The following example shows a local mode user that is forced to Telnet to the unit's preferred Telnet host: 



froggy Password = "ribbit" 
Service -Type = Login 
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The Telnet; Logout command is forced as soon as authentication is complete. To force the user to make an 
Rlogin to connect to the preferred Telnet host, add "Login-IP-Service = Rlogin" to the reply-item list. 

D.3.3 Forcing a Telnet Connection to a Specific Port 

To force the user to Telnet to a particular port on the specified host, add the Login-IP-Port attribute: 



froggy Password = "ribbit" 

Service-Type = Login, 
Login-IP-Host = 192.0.1.155, 
Login-IP-Service = Telnet, 
Login-IP-Port = 1000 



The Connect Telnet 192.0.1.155:1000 command is forced as soon as authentication is complete. 
Remember that if a user connects via PPP and is authenticated by the RADIUS server with Service-Type 
set to Login or Prompt, the unit RADIUS client code will reject the user because a user cannot be made to 
fall out of PPP mode into local (character) mode. 

D.3.4 Preventing RADIUS Authentication 

You may wish to prevent the user from being authenticated by the RADIUS server in the first place. If so, 
enter the following: 



froggy 


Password = "ribbit", Service-Type = Login 




Service -Type = Login, 




Login-IP-Host = 192.0.1.88, 




Login-IP-Service = Telnet, 




Login-IP-Port = 1000 



In this case, if the unit sends an authentication request for the user froggy with the Service-Type set to 
Framed, the authentication request will be rejected by the RADIUS server. 



D-6 



Index 



A 

Access 

Dynamic 7-1, 11-39 
Local 7-1, 11-39 
None 11-39 
Ports 7-1 

Remote 7-1, 11-39 
ACCM 6-1 
Accounting 10-15 
Analog leased lines 4-15, 4-16 
ANSI 7-13 
Apropos 11-5 
ARP entry 5-2 
Attention string 8-7, 8-8 
Authentication 4-1 

Clear/Purge 11-135 

Configuring 11-137 

Databases 10-3 

Dialback 10-31 

Displaying 11-159 

Examples 10-26 

Incoming 3-11, 10-1 

Kerberos 10-11, 11-138 

Local 11-140 

Multiple-user (example) 10-28 
Outgoing connections 3-16, 10-4, 10-28 
Overview 1-2 

RADIUS 10-13, 11-141, F-6 
SecurlD 10-16, 11-144 

Single user restrictions 4-3 

Sites 3-14, 11-117 

TFTP 11-146 

Troubleshooting 10-32 

Unique 10-19, 11-147 

User 11-147 
Authenticator 10-11 
Autobaud 7-12, 11-40 
Autoconnect 7-8, 11-41 
Automatic protocol detection 3-9, 3-10, 7-4 
Autostart 7-2, 8-11, 11-42 

Enabling 7-2 

Trigger 7-2 



B 

Backwards 7-5, 11-5 
Bandwidth 4-6, 8-11 

Adding 4-9, 4-11, 4-14 

Configuring 4-7 

Controlling 4-6, 11-119 

Default 4-10 

Disadvantages of additional 4-7 
Displaying current 4-9 
Estimating 4-7 
Holddown 4-9 
Measurement period 4-8 
Removing 4-9 
Baud rate 11-64 

Boot Configuration Program (BCP) 5-3, 11-101 
Boot parameters 2-5 
Boot prompt 5-3 
BOOTP5-3, 11-102 

Subnet masks 5-6 
Break key 7-5, 11-44 
Broadcast 2-4, 11-5 

Enabling 11-45, 11-102 

Limiting 7-12 

c 

Caller-ID 8-11, 11-79 
Carrierwait 8-8, 11-79 
CBCP6-3, 10-7 

CHAP 1-1, 1-2, 3-10, 3-12, 6-2, 10-3, 10-5, F-l 

Configuring 6-2 

Outgoing connections 3-16 
Character 

Escaping 6-1 

Loss 7-13 

Mode 7-3, 10-1 

Size 11-46 
Character modes 10-2 
Chat scripts 4-5, 10-5 

Adding entries 4-5 

Configuring 11-121 

Creating 4-5 

Editing 4-5 

Markers 4-6 

SLIP 3-14 



lndex-1 



Index 



Timeouts 4-5 
CIDR 5-6 

Clear commands 2-3 
Clock 

Setting 2-8, 11-103 
COM Port Redirector 9-2, 9-3 
Command completion 2-2, 11-46 
Command editing keys 2-2 
Command line 2-2 

Command prefix string 8-3, 8-8, 11-80 
Commands 

Execution upon login 10-19, 10-27 

Forced 10-10 

Help 11-5 

IP 11-15 

Navigation 11-5 

Port 11-33 

Privileged 10-18 

Security 11-135 

Site 11-117 
Community names 11-158 
Compression 

Data 4-10, 11-81 

Header 4-11, 6-1, 6-3 

Van Jacobson 6-3 
Configuration 

Without modems 4-16 
Configuration files 2-9, 11-116 

Downloading 2-10 

EZWebCon 2-9 

Without EZWebCon 2-9 
Connect string 8-8, 11-81 
Connections 

Outgoing 3-13 

Remote networking 3-1 

Rlogin5-10, 5-11 

Telnet 5-10, 5-11 
Contact information A-l 
Costs 

Reducing 4-12 
Counters 

Displaying 11-114 

Port 6-7 

Sites 11-133 

Zero 11-12 
CSLIP 1-1 
CTS 7-15 
CTS/RTS 11-50 



D 

Data compression 4-10, 8-8 
Database 

Authentication 10-3 

Configuration 10-8, 11-137 

Dialback 10-6 

Displaying 10-10 

Kerberos 10-11, 11-138 

Local 10-9, 11-140, 11-147, 11-159 

Precedence setting 10-8 

Purging user 10-10 

RADIUS 10-12, 11-141 

SecurlD 10-16, 11-144 
Databases 

Search order 10-26 
Datasend 7-14 
Date 

Setting 2-8 
DCD7-18, 8-8, 8-11 
DCE 8-1 

Dedicated port 3-10, 11-47 
Dedicated protocols 7-9 
Dedicated services 7-8 
Defaults 

Bandwidth 4-10 

Domain name 5-8 

Factory 2-5 

IP router 11-16 

Modem 11-37 

PPP6-7, 11-37 

Routes 5-15, 5-21 

Settings 7-18 
Define commands 2-3 
Device type 7-13, 11-67 
Dial string 11-83 

Dialback 8-11, 10-5, 10-31, 11-48, 11-118 

CBCP 10-7 

Configuring 11-148 

Database 10-6 

Displaying 11-159 

Drawbacks 10-8 

Local mode 10-6 

PPP 10-7 

Process 10-6 

Removing 11-135 

SLIP 10-7 
Direct connections 4-15 
Disable string 8-10 
DNS 1-1, 5-8, 11-24, 11-25 

Default domain 5-8 



lndex-2 



Index 



DSR7-10, 7-17 

Automatic logout 7-17 

Logouts 7-11, 11-49 

Remote logins 7-18 
DTE 8-1 
DTR7-18, 8-7 

DTRWait 11-50 
Dynamic routes 1-1 

E 

Enable string 8-10 
Environment strings B-l-?? 
Error correction 4-10, 11-84 
Ethernet 

Configuring interfaces 11-20 

Purge 11-15 
Event logging 6-7, 10-24, 10-32 

Destination 10-24 

Levels 10-25 
EZWebCon2-l, 2-2 

Configuration files 2-9 

F 

Filter 

Any 11-150 

Displaying 11-160 

Generic rule 11-151 

IP 11-152 
Filter lists 4-10 

Creating 10-23 

Idle time 4-12 

Order 10-22 

Removing 11-136 

Security 

Filter lists 4-1 

Types 4-1 
Finger 11-7 
Firewalls 10-22 

Creating 10-29 
Flash ROM 2-5, 11-101 
Flow control 7-15, 11-50 

Configuring 7-16 

Hardware 7-15 
Forcedial 11-131 
Forward switch 11-51 
Forwards 7-5, 11-7 

G 

Gateways. See Routers 



H 

Hardcopy 7-13 

Header compression 4-4, 4-11, F-l 
Help 11-8 

Commands 11-5 
Holddown 4-9 
Host table 

Adding hostnames 11-19 

Maximum number 11-23 
Hosts 

Display table 5-9 

Displaying 11-29 

Host table 11-15 

Limit 11-104 

Names 5-8 

Removing 5-9 

Routes 5-4, 5-15 

Table 5-9 

I 

Idle time 4-12 

Filter list 4-12 

Maximum time 11-124 
Inactivity logouts 4-12, 11-52, 11-104 
Incoming connections 3-10 

Authentication 3-11 

Configuring 3-11 

Restricting 4-3 
Init string 8-3, 8-7, 11-85 
Installation 2-1 
Instance 10-11 
IP 

Commands 11-15 
Configuration 4-3, 5-18 
Domain 11-23 
Filter 10-22, 11-152 
Header compression 4-4 
Headers 4-11 
Interface 5-18 
Interfaces 11-22 
Loadhost 11-24 
Nameserver 11-24 
Packet traffic 10-23 
Packets 5-14 
Protocol 1-1 
Security 5-12 
Security table 5-13 
Settings 11-30 
Sites 11-125 



lndex-3 



Index 



Timeserver 11-28 
Trusted 11-17 
Trusted routers 11-29 
IP address 3-7, 5-1 
ARP entry 5-2 
Assigning 3-5, 5-20 
BOOTP 5-3 
Examples 5-20 
Host 5-1 

Incoming connections 5-4 
Outgoing connections 5-5 
Ping 5-2 
Pools 5-4 
Range 5-5 
RARP 5-3 

Restricting 4-3, 10-20 

Serial console 5-3 

Setting 5-2, 11-24 

Sites 5-5 

SLIP 5-6 

Subnet mask 5-1 

Subnet masks 5-6, 11-28 

Wildcards 5-13 
IP routing 3-6, 5-14 

Configuring 11-26 

Displaying table 11-30 

Remote node 3-7 

Removal 11-16 

Removing 11-16, 11-17 

Static routes 11-25 

Trusted routers 11-29 
IP security 11-27 
IPCP 6-3 
ISDN 8-11 

K 

Kerberosl-2, 10-11, 11-138 

Authenticator 10-11 

Configuring 10-11 

Instance 10-11 

KVNO 10-11 

Principle 10-11 

Realm 10-11 
KVNO 10-11 

L 

LAN to LAN 3-1 

Bidirectional calling 3-19 
Calling one direction 3-18 
Example 3-18 



IP routing 3-6, 3-7 
Sites 3-5 

Without modems 4-15 
Latency 4-10 
LCP 6-1 

Event logging 6-7 
Line speed 8-1 
List commands 2-3 
Loadhost 11-105 
Local 

Database 10-9 
Local prompt 2-2, 2-7 

Starting PPP or SLIP 3-9 
Local switch 7-5, 11-53 
Lock 7-9, 10-19 
Logging 

Configuring 11-155 

Destination 10-24 

Displaying 11-160 

Event 10-24 
LoggingLLevels 10-25 
Login password 7-10, 11-56 
Logins 

Character mode 10-1, 10-5 
PPP 10-3, 10-5 
Remote console 5-12 
SLIP 10-4 
Logouts 

Automatic 7-11 
Command 7-9 
Idle 7-11 

Inactivity 4-12, 11-52 
Loss notification 7-13, 11-54 

M 

Manual, using 1-3 
Markers 4-6 

Measurement period 4-8 
Menu mode 7-12, 11-38, 11-54 

Configuring 10-20 

Displaying 11-72 

Entries 11-33 
Metric 5-15 

MIB (Management Information Base) E-l 
Mode 

Character 3-11 

Local 10-6 

Menu 7-12, 10-20, 11-38 

Modems 8-1 

Answer 11-77 



lndex-4 



Index 



Attention 11-78 
Busy 11-78 
Caller-ID 8-11, 11-79 
Carrierwait 11-79 
Commandprefix 11-80 
Compression 8-8, 11-81 
Configuration 3-15 
Connect string 11-81 
DCD 8-8, 8-10 
Default settings 11-37 
Dial string 11-83 
Dial tone 11-86 
Emulation 7-2 

Error correction 8-8, 8-10, 11-84 

Error string 11-83 

Examples 8-13 

External switches 8-7 

High speed 4-12 

Incoming calls 8-8 

Init string 8-3, 11-85 

Initialization 8-7 

Latency 8-8 

Line speed 8-1 

Modem control 8-4, 11-82 

Modem pool 9-1, 9-3 

Nocarrier string 11-86 

OK 11-87 

Outgoing calls 8-8 

Port logouts 8-8 

Profile 3-15, 11-91 

Profiles 8-2 

Reset 11-88 

Ring string 11-88 

Saving 11-89 

Security 8-10 

Serial speed 8-1 

Services 9-1 

Setup 11-85 

Sharing 9-1, 9-2 

Speaker 11-89 

Statistics 11-90 

Terminal adapters 8-11 

Throughput 8-8 

Troubleshooting 8-13 

Wiring 8-12 
Monitor 11-8 

Commands 2-3 

Site 3-17 
MRU 6-1 
MTU 6-1, 11-127 



Multilink PPP 6-4, 11-58 

N 

Name resolution 5-8, 11-9 

Default suffix 11-23 
Name server 5-8 

Backup 5-8 

Specifying 11-107 
Naming 

Ports 11-55 

Server 2-7, 11-107 
NBNS 

Setting 11-25 

WINS 4-4 
NCP 6-3 

Event logging 6-7 
NetBIOS 4-4 
Netstat 11-8 

Network restrictions 10-21 

Network routes 5-15 

Nocarrier string 11-86 

NVR8-7, 8-8 

Database 10-9, 11-140 
Modem configurations 11-89 

o 

OK string 8-8 

Outgoing connections 3-13 

Authentication 3-16, 10-28 

Configuring 3-14 

Frequency 4-14 

Modems 3-15 

Packets 3-13 

Port priority 3-13 

Routing 3-16 

Sites 3-15 

Time restrictions 4-13 

P 

Packet filter 10-22, 11-160 

Creating 11-149 

Deleting 11-149 

Remvoing 11-123 
Packets 3-13 

Filters. See Packet filter. 

MRU 6-1 

MTU 6-1 

Restricting traffic 4-1 
RIP 4-3 



lndex-5 



Index 



Routing 5-14 
Sizes 6-1 
Padding 7-13 

PAP 1-1, 1-2, 3-10, 3-12, 6-2, 10-3, 10-5, F-l 

Configuring 6-2 

Outgoing connections 3-16 

SecurlD 10-16 
Parity 11-55 
Passcodes 10-16 
Password 

Login 2-6 

Privileged 2-6 
Passwords 2-5 

Limiting attempts 11-108 

Local 3-11, 10-3 

Local database 11-158 

Login 3-11, 5-11, 5-12, 7-10, 10-1, 11-56, 

11-105, 11-106 
Privileged 11-108 
Remote 3-14 

UNIX password file 10-17 

Username/password pair 10-2 
Performance 

Increasing 4-10 
Permanent connections 11-128 
Ping 5-2, 11-9 
Pools 

IP address 5-4 

Port 

Dedicated 3-10 

Remote console 5-2 

Serial console 5-3 
Port 7000 7-19 
Port modes 7-3 

Character 7-3 

Menu 11-54 

PPP 7-3 

SLIP 7-3 
Ports 3-13, 7-1 

7000 5-11 

Access 7-1, 10-21, 11-39 
Authentication 7-10, 11-40 
Autobaud 11-40 
Autoconnect 7-8, 11-41 
Automatic logouts 7-11 
Autostart 7-2, 8-11, 11-42 
Bandwidth 4-7 

Broadcast messages 7-12, 11-45 
Character size 11-46 
Commands 7-1, 11-33 



Configuration 7-12 

Configuring 11-36 

Dedicated 11-47 

Dedicating 7-9 

Default settings 7-18 

Dialback 11-48 

Displaying 11-72 

DSR logouts 7-11 

Flow control 7-15, 7-16 

Inactivity logouts 7-11 

Locking 7-9, 10-19, 11-35, 11-106 

Login password 7-10, 11-106 

Logout 11-35 

Modes 7-3 

Naming 7-13, 11-55 

Parity 11-55 

PPP 11-58 

PPPDetect 11-60 

Preferred 11-57 

Priority numbers 4-8 

Privilege status 11-69 

Purge 11-37 

RADIUS 10-13 

Reducing used 4-12 

Remote console 5-12, 7-19 

Restrictions 7-9, 7-11 

RJ45 7-18 

Securing 10-18 

Security 7-11, 11-61 

Services 9-1 

Session limit 11-110 

Signal check 7-10, 11-63 

Sites 11-128 

SLIP 11-63 

Speed 11-64 

Starting 7-1, 7-2 

States 3-17 

Stop bits 11-65 

Telephone numbers 3-15 

Testing 11-74 

Unlocking 11-75 

Username 7-13, 11-68 

Verification 7-6, 11-68 

Virtual 7-19, 10-2 

Zero 5-13 

PPP 1-1, 3-8, 6-1, 7-15, 10-2, 11-37, F-l 

Authentication 6-2 
Automatic detection 6-4 
Automatic protocol detection 3-9 
CBCP 6-3 



lndex-6 



Index 



CHAP 6-2 
Dedicated 6-4, 7-9 
Dedicated port 3-10 
Dialback 10-7 
Enabling 10-18, 11-58 
Event logging 6-7 
Header compression 6-1 
Incoming connection 3-10 
Initiating 6-3 
IPCP 6-3 
LCP 6-1 

Local prompt 3-9 
Logins 10-3 
Mode 7-3 

Multilink 6-4, 11-58 
NCP 6-3 

Outgoing connections 10-5 
PAP 6-2 

PPPDetect 3-9, 3-12, 11-60 

Restoring defaults 6-7 

Sites 11-129 

Starting 3-8, 11-71 

Static routing 4-16 

Troubleshooting 6-7 

User-initiated 6-4 

Without modems 4-16 
Precedence 10-8, 11-135 

Local database 10-9 

SecurlD 10-16 
Preferred services 7-8, 11-57 
Principle 10-11 
Printer 

Banner page 11-94 

Verification 11-61 
Priority numbers 

Bandwidth 4-8 
Privileged user 10-18 
Problem report procedure A-l 
Profile 

Modems 3-15 
Profile settings 8-4 
Profiles 8-2 

Editing 8-3 
Prompts 

Altprompt 11-102 

Boot 5-3 

Configuring 2-7, 11-109 
Login 2-7 

Remote console 5-11 
Protocols 



Automatic detection 7-4 

Dedicated 7-9 
Proxy ARP 5-17 

Enabling 5-17 
Purge commands 2-3 

Q 

Queues 

Removing 11-93 
Show/Monitor 11-11 

R 

RADIUS 1-2, 10-12, 11-141 

Accounting 10-15, F-4 

Attributes F-l 

Authentication 10-13, F-l 

Ports 10-13 

Sites 10-14 
RAM 

Database 11-140 
RARP 5-3 

Enabling 11-110 
Realm 10-11 
Rebooting 2-4, 11-101 

Restoring defaults 2-5, 11-101 
Redirector 9-2, 9-3 

Example 9-5 
Remote console 

Configuring 5-12 

IP security 5-12 

Prompt 5-11 

Sessions 5-11 
Remote console port 5-2, 7-19 
Remote networking 

IP address assignment 5-20 

IP routing 3-6 
Remote node 3-1 

Example 3-21 

IP routing 3-7 

Sites 3-5 

Without modems 4-15 
Remote password 3-14 
Reset string 8-8, 11-88 
Restrictions 

Connection times 4-18 

Filters 10-29 

User 10-18 
Return characters, Padding 7-13 
Ring string 11-88 
RIP 3-7, 4-3, 5-17 



lndex-7 



Index 



Disabling 4-3 


Serial port 


Enabling 11-125 


Default parameters 2-2 


Metric 


Serial speed 8-1 


IP 


Server 


RIP metric 4-4 


Altprompt 11-102 


T"\ A T"\ ^ 1 mm 

Proxy ARP 5-17 


BOOTP 11-102 


Subnetworks 5-18 


■ -v i . -m -m -m t I ^ 

Broadcasts 11-102 


Updates 4-4 


Buffering 11-103 


RJ45 7-18 


Clock 11-103 


Rlogm 1-1, 5-10, 11-38, B-2 


Displaying 11-114 


Enabling 11-110 


Displaying users 11-115 


Incoming connections 5-11, 10-21 


Host limit 11-104 


Outgoing connections 5-10, 10-21 


Idle logouts 7-11 


Router 


Inactivity timer 11-104 


Stub 3-6 


Incoming connections 11-105 


Routers 5-1, 5-14 


Initialize 11-101 


Remote 3-16 


T 11 ill 1AP 

Loadhost 11-105 


Trusted 11-29 


Locking ports 11-106 


Routes 


Name 5-8, 11-107 


Costs 5-15 


Privileged user 11-108 


Host 5-4 


Prompt 11-109 


Routing 


RARP 11-110 


Default routes 5-21 


Rlogin 11-110 


Efficient routes 5-14 


Session limit 11-110 


RIP 5-17 


Software file 11-111 


Routes 5-15 


Startup file 11-111 


Table 5-17 


Timezone 11-112 


Routing table 5-18 


UUCP 11-113 


Routing tables 5-14 


Services 9-1 


RTS 7-15 


Banner page 11-94 


Klb/Clb 11-5U 


Binary 11 -v5 


Kwno 5-s 


Creating 9-1, 11-V4 




l^CUlCalCU / -O 


Q 


Displaying v-z, 11-vv 


Save 11-10 


f HT 1 1 AC 


Save string 8-7 


Formfeed 11-96 


Secure users 7-11, 11-61 


Modem pool 9-3 


SecurlD 1-2, 10-16, 11-144 


Ports y-1 


Configuring 10-16 


rui if>rui La 


PAP 10-16 


Services 11-96 


Passcodes 10-16 


Postscript 11 -vv 


Precedence 10-16 


Freterred /-o 


Security 4-1, 10-1 


reconvert 11-vv 


Authentication 4-1 


Queues 11-yJ 


Commands 11-135 


Removing 11-93 


Dialback 10-31 


RTEL 11-97 


Filters 10-29 


SOJ 11-98 


Outgoing authentication 10-28 


TCPport 11-98 


Table 5-13 


Telnetport 11-99 


Serial console port 5-3 


Sessions 5-9, 7-4 



lndex-8 



Index 



Characteristics 11-70 
Connecting 11-33 
Disconnecting 7-6, 11-35 
Displaying 5-9, 11-74 
Exiting 7-5 

Limit 7-5, 11-62, 11-110 

Monitoring 7-6 

Multiple 7-5 

Remote console 5-11 

Resume 11-37 

Switching 7-5 
Set commands 2-3 
Show commands 2-3 
Show Site 3-17 
Show/Monitor Site 3-17 
Signal check 7-10, 7-18, 11-63 
Site 

Dialback 10-7 
IP address range 5-5 
Sites 3-2, 3-9, 3-13, 3-15 

Authentication 3-14, 11-117 
Bandwidth 4-9, 11-119 
Chat scripts 4-5 
chat scripts 11-121 
Commands 11-117 
Creating 3-2 

Default configuration 3-3 

Defining 3-2 

Deleting 3-4 

Displaying 3-3, 11-133 

Editing 3-2, 3-4 

Forcedial 11-131 

Idle time 4-12, 11-124 

Incoming connections 3-5 

IP address 5-5 

IP configuration 11-125 

Local password 10-3 

Logout 11-35 

MTU 11-127 

Outgoing connections 3-5 

Packet filters 11-123 

Permanent 11-128 

Port 11-128 

PPP 11-129 

RADIUS 10-14 

Removing 11-133 

Restricting connections 4-13 

SLIP 11-129 

States 3-17 

Telephone number 11-130 



Temporary 3-10 

Testing 3-4, 11-134 

Time range 11-131 

Time restrictions 4-18 

Time, setting 4-18 
SLIP 1-1, 3-8, 7-15, 10-2, 10-4, F-l 

Automatic protocol detection 3-9 

Chat scripts 3-14 

Dedicated 7-9, 11-63 

Dedicated port 3-10 

Dialback 10-7 

Enabling 11-63 

enabling 10-18 

Incoming connection 3-10 

IP address 5-6 

Local prompt 3-9 

Mode 7-3 

Ougoing 10-5 

Sites 11-129 

SLIPDetect 3-12, 11-64 

Starting 3-8, 11-71 

Static routing 4-17 

Without modems 4-17 
Slot number 4-11 
SNMP 11-136, E-l 

Configuring 11-158 

Displaying 11-161 
Sockets B-2 

TCP listener 9-3 
Softcopy 7-13 
Software 7-15, 11-12 

File name 11-111 

Reloading 2-5 

Startup file 11-111 
Source command 11-116 
Static routes 1-1, 5-21 
Static routing 4-16, 4-17 
Statistical multiplexors 4-15 
Stub router 3-6 
Subnet mask 5-1 
Subnet masks 11-28 

BOOTP 5-6 

CIDR 5-6 

Contiguous 5-18 

Displaying 5-6 

Length 5-7 

Setting 5-6 
Switch 

Backward 11-43 

Forward 11-51 



lndex-9 



Index 



Local 7-5, 11-53 
Synchronous leased lines 4-15 

T 

Tables 

ARP 5-4 

Routing 5-14, 5-15, 5-18 
SNMP security 11-136 
TCP 

Listener service 9-3 
TCP/IP 

Buffer size 11-103 

Host limit 11-104 
TCPport9-3, 11-98 
Telephone numbers 3-14 

Assigning 3-15, 11-130 

Defining 3-14 
Telnet 1-1, 5-10, 11-75 

Incoming connections 5-11, 10-21 

Outgoing 5-10 

Raw connections B-2 

Remote console 5-12 

Send 11-18 
Telnet pad 7-13, 11-66 
Telnetport 9-3, 11-99 
Terminal 

Type 5-10, 11-66 
Terminal adapters 8-11 
Terminal type 7-14 
TFTP 11-24 

Configuration file 11-116 

Password file 10-17, 11-146 

Software download 11-111 
Time 

Ranges 11-131 

Setting 2-8 
Timeouts 4-5 
Timeserver 

Configuring 2-9, 4-13, 11-28 
Timezone 

Displaying 11-115 

Setting 2-8, 11-112 
Troubleshooting 

Authentication 10-32 

Modems 8-13 

Monitoring network activity 3-17 
Type 

Device 7-13 
Terminal 7-14 



u 

UNIX password file 10-17 
Unlock 10-19 

Username/password pair 10-2, 10-10 
Users 

Privileged 10-18, 11-69 
Restrictions 10-18 
Secure 11-61 
UUCP 7-15, 11-113 

V 

v.32 8-1 
v.32bis 8-1 
v.42bis 8-8 

Virtual ports 7-19, 10-2 

w 

Windows 95 4-4 
WINS 

See NBNS 

X 

XON/XOFF 7-15, 11-50 

z 

Zero counters 11-12 



lndex-10 



